I would like to suggest you the rules from any.run. Is it okay if the name is their name? I just have them now.
Link to sample:
where it sends one GET request.
Exfiltration was not found, perhaps it is in the encoded text, although a lot of data will not fit there. Tweet: https://twitter.com/Jane_0sint/status/1660916458447069184?s=20
alert http any any → any any (msg: “ET [ANY.RUN] GoodMorning Ransomware”;flow: established, to_server; urilen: >1000; content: “_And_Netword_Drive_Size:”; http_uri; content: “_Encryption_Mode”; http_uri; distance: 0; content: “GET”; http_method; content:!“User-Agent|3a|”; http_header; classtype: trojan-activity; metadata: malware_family GoodMorning_Ransomware, created_at 2023_05_21; sid: 1; rev: 1;)