alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Activity)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-Session|3a 20|"; pcre:"/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R"; content:"X-ID|3a 20|"; content:!"|0d 0a|"; within:2; pcre:"/^([0-9a-f]{8})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{4})-([0-9a-f]{12})/R"; http.header_names; content:"X-Session|0d 0a|X-Info|0d 0a|X-Config|0d 0a|X-ID"; fast_pattern; threshold:type limit,track by_src,seconds 300,count 1; reference:url,twitter.com/Jane_0sint/status/1666019485583659008; reference:md5,c28cc92a7c78b96bec58fa3e5398074a; reference:url,community.emergingthreats.net/t/observerstealer/624; reference:url,app.any.run/tasks/5728c30e-00c1-4f87-9522-ff8b9e08fa32/; classtype:trojan-activity; sid:2046153; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_06_07, deployment Perimeter, malware_family ObserverStealer, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_07;)