alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VectorStealer Data Exfil via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bot"; startswith; content:"/sendDocument"; endswith; http.host; content:"api.telegram.org"; http.content_type; bsize:68; content:"multipart/form-data|3b 20|boundary=|22|"; startswith; content:"|22|"; distance:36; within:1; endswith; pcre:"/^multipart\/form-data\x3b\x20boundary=\x22[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\x22$/"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d|document|3b 20|filename|3d|Data|2d|"; fast_pattern; content:"."; distance:8; within:1; content:"|2e|zip|0d 0a 0d 0a|PK|03 04|"; distance:3; within:12; content:"userinfo.txt"; distance:0; reference:url,twitter.com/suyog41/status/1613511181263859712; reference:md5,7a29029e73156fa977badcb2dfab153d; classtype:command-and-control; sid:2043289; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_01_12, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag c2, updated_at 2023_04_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)