alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound"; flow:established,to_client; http.response_body; content:"|3c|s|3a|Envelope|20|xmlns|3a|s|3d 22|http|3a 2f 2f|schemas|2e|xmlsoap|2e|org|2f|soap|2f|envelope|2f 22 3e|"; content:"|3c|a|3a|BlockedCountry"; content:"|3c|a|3a|BlockedIP"; content:"|3c|a|3a|ScanBrowsers|3e|"; content:"|3c|a|3a|ScanChromeBrowsersPaths"; content:"|3c|a|3a|ScanDiscord|3e|"; content:"|3c|a|3a|ScanScreen|3e|"; content:"|3c|a|3a|ScanSteam|3e|"; content:"|3c|a|3a|ScanVPN|3e|"; content:"|3c|a|3a|ScanWallets|3e|"; fast_pattern; reference:url,twitter.com/crep1x/status/1648063045808148481; reference:md5,43967615d9e0e19bc59d32fdb5afd7e4; classtype:command-and-control; sid:2045001; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_04_17, deployment Perimeter, malware_family Win32_LeftHook, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_13;)