alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/SaintStealer CnC Response"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|7b 22|ok|22 3a|true"; startswith; content:"|22|is_bot|22 3a|true"; content:"|22|document|22 3a 7b 22|file_name|22 3a 22 5b|"; fast_pattern; content:"|5d|"; distance:0; content:".zip|22|"; distance:0; content:"|22|mime_type|22 3a 22|application/zip|22|"; reference:md5,1604e24ee77201e5264bcd4d8327499e; classtype:trojan-activity; sid:2039009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_09_27, deployment Perimeter, malware_family SaintStealer, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_09_27;)