alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Agartha Stealer Activity via Telegram (Response)"; flow:established,to_client; file.data; content:"|7b 22 6f 6b 22 3a 74 72 75 65 2c|"; startswith; content:"|66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 67 61 72 74 68 61 43 72 79 70 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 41 67 61 72 74 68 61 43 72 79 70 74 42 6f 74 22 7d 2c|"; distance:0; fast_pattern; reference:md5,8fcaf491499ed2505d5a6523f561bbcc; reference:url,twitter.com/suyog41/status/1645387919077646337; classtype:trojan-activity; sid:2044925; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_04_12, deployment Perimeter, deployment SSLDecrypt, malware_family Win32_Agartha, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_12; target:dest_ip;)