alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/RootTeam Stealer CnC Exfil M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/report"; http.user_agent; content:"Go-http-client"; startswith; http.content_type; content:"application/json"; http.accept_enc; content:"gzip"; http.request_body; content:"|7b 22|"; startswith; content:"cookies"; content:"discord"; content:"minecraft"; content:"name"; content:"nickname"; content:"passwords"; content:"steam"; content:"telegram"; content:"|22|uploader|22 3a 22 7b 5c 22|access_key|5c 22 3a 5c 22|"; content:"delete_key"; content:"direct_url"; content:"expiry"; content:"filename"; content:"|5c 22|mimetype|5c 22 3a 5c 22|application/zip|5c 22|"; fast_pattern; content:"original_name"; content:"sha256sum"; content:"size"; content:"url"; content:"wallets"; reference:md5,b985f86091846026c4ea9b93d78e7524; reference:url,twitter.com/FalconFeedsio/status/1649641466300334081; classtype:trojan-activity; sid:2045867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_05_25, deployment Perimeter, malware_family RootTeamStealer, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_07_12; target:src_ip;)