alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AtomLogger Exfil via FTP"; flow:established,to_server; content:"Username|3a 20|"; content:"|0d 0a|Machine Name|3a 20|"; distance:0; content:"|0d 0a|Operating System|3a 20|"; distance:0; content:"|0d 0a|IP Address|3a 20|"; distance:0; content:"|0d 0a|Country|3a 20|"; distance:0; content:"|0d 0a|RAM|3a 20|"; distance:0; content:"|0d 0a|Online since|3a 20|"; distance:0; content:"|0d 0a 0d 0a 0d 0a 0d 0a|================================|0d 0a|Keystrokes and Window Log|0d 0a|"; distance:0; fast_pattern; reference:md5,78bd897a638e7c0d3c00c31c8c68f18b; classtype:trojan-activity; sid:2026824; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, malware_family AtomLogger, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2019_07_26;)