alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/c2sock"; bsize:7; nocase; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|file|22 0d 0a|Content-Type|3a 20|attachment/x-object|0d 0a 0d 0a|PK"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|hwid|22 0d 0a 0d 0a 7b|"; pcre:"/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\x7d/R"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|pid|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|lid|22|"; reference:md5,9dcde1edfdd83f7cc28dcd31323be326; reference:md5,b3b025b8445dcbd9b7aca560ad752b74; classtype:trojan-activity; sid:2043206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_01_04, deployment Perimeter, malware_family lumma, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_02_03, reviewed_at 2025_07_14; target:src_ip;)