alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vidar Stealer - FaceIt Checkin Response"; flow:established,to_client; file.data; content:"|7b 22|result|22 3a 22|ok|22 2c 22|payload|22 3a 7b 22|country|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|about|22 3a 22|"; pcre:"/^[^\"]+\x7c\x22\x2c\x22/R"; reference:url,medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed; classtype:command-and-control; sid:2033066; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, malware_family Arkei, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_06_02;)