Hydrochasma (Fast Reverse Proxy)

Rule Signatures
7

Update!
As I thought, the first three bytes are replaceable. I propose to update the rule by replacing it with many bytes!
The code below shows a mask of several outgoing streams, a rule has been generated for static bytes.

0000000: ____ __16 0301 00ee 0100 00ea 0303 ____ ____ ____ ____ ____ ____ ____ ____  ___..........._____.__________  
000001e: ____ ____ ____ ____ ____ ____ ____ ____ 20__ ____ ____ ____ ____ ____ ____  ______..._______ _____________  
000003c: ____ ____ ____ ____ ____ ____ ____ ____ ____ __00 26c_ __c_ __c0 2_c0 __c_  __..___________.___.&._._._._.  
000005a: __c_ __c0 09c0 13c0 0ac0 1400 9c00 9d00 2f00 35c0 1200 0a13 0_13 0_13 0_01  _._............./.5...........  
0000078: 0000 7b00 0500 0501 0000 0000 000a 000a 0008 001d 0017 0018 0019 000b 0002  ..{...........................  
0000096: 0100 000d 001a 0018 0804 0403 0807 0805 0806 0401 0501 0601 0503 0603 0201  ..............................  
00000b4: 0203 ff01 0001 0000 1200 0000 2b00 0908 0304 0303 0302 0301 0033 0026 0024  ............+............3.&.$  
00000d2: 001d 0020 ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  ... _____________.__.________.  
00000f0: ____ ____ ____ 1403 0300 0101 1703 0300 35__ ____ ____ ____ ____ ____ ____  _.____..........5____.__.__...  
000010e: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  ._..____.____.____.________.__  
000012c: ____ ____ ____ ____ ____ 1703 0300 1___ ____ ____ ____ ____ ____ ____ ____  _.__._____....._._._____._.__.  
000014a: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  ___.___.___._....._.______.___  
0000168: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  ____...____.....___.__._._____  
0000186: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  .____________________.________  
00001a4: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  _______...___.__.________.___.  
00001c2: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____  ._                              


alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy";
flow: established, to_server;
content: "|16030100ee010000ea0303|";offset:3;depth:11;
content: "|20|";distance:32;within:1;
content: "|0026|";distance:32;within:2;
content: "|c0|";distance:4;within:1;
content: "|c0|";distance:1;within:1;
content: "|c009c013c00ac014009c009d002f0035c012000a13|";distance:5;within:21;
content: "|13|";distance:1;within:1;
content: "|13|";distance:1;within:1;
content: "|0100007b000500050100000000000a000a0008001d001700180019000b00020100000d001a0018080404030807080508060401050106010503060302010203ff0100010000120000002b0009080304030303020301003300260024001d0020|";distance:1;within:95;
content: "|1403030001011703030035|";distance:32;within:11;
content: "|17030300|";distance:53;within:4;
threshold: type limit, track by_dst, seconds 1300, count 1;classtype: command-and-control;
reference:md5,f0f69284967de298d89cad5585dafd15;
reference:url,app.any.run/tasks/b3ef48ea-2f47-49bb-9eff-70fcae8bf366;
metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 3457845, malware_family Hydrochasma, created_at 2023_07_27;
sid: 1; rev: 1;)

It is possible to shorten it somewhere, because the client part of the ssl handshake is here.
I also have a JA3s hash, and it is calculated by a suricata, unlike JA3, eve.json is below

"tls":{"version":"TLS 1.3",
"ja3":{},
"ja3s":{"hash":"f4febc55ea12b31ae17cfb7e614afda8",
"string":"771,4865,43-51"}},
"app_proto":"tls",
"flow":{"pkts_toserver":14,
"pkts_toclient":16,
"bytes_toserver":1755,
"bytes_toclient":2402,
...

Keep an eye open, hydrochasma🪰