alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 143 (msg:"ET MALWARE Win32/APT28 Host Fingerprint Exfiltration via IMAP"; flow:established,to_server; content:"|24 20|APPEND|20|INBOX|20 7b|"; startswith; pcre:"/[0-9]{1,2}\x7d\x0d\x0aFrom\x3a\x20a_/R"; pcre:"/Subject\x3a[0-9]{1,2}\x2f[0-9]{1,2}\x2f[0-9]{4}\x20[0-9]{1,2}\x3a[0-9]{1,2}\x3a[0-9]{2}\x20[AP]/R"; content:"M_report|0d 0a|"; within:10; fast_pattern; reference:url,cert.gov.ua/article/341128; reference:md5,d3bddb5de864afd7e4f5e56027f4e5ea; classtype:command-and-control; sid:2037090; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, malware_family Win32_APT28, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_22;)