alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Golang Easy Stealer Exfil (POST)"; flow:established,to_server; flowbits:set,ET.easystealer; urilen:7; http.method; content:"POST"; http.uri; content:"/apache"; startswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.user_agent; content:"Go-http-client/1.1"; http.content_type; content:"application/x-www-form-urlencoded"; http.accept_enc; content:"gzip"; http.request_body; pcre:"/^(?:(?:[a-z0-9]{32}\x3d[A-Z]{2}\x26)(?:[a-z0-9]{32}\x3d)(?:[a-z0-9]{32})\x26(?:[a-z0-9]{32}\x3d))/"; reference:url,twitter.com/Jane_0sint/status/1674425418429112329; reference:md5,731ed24011df3a33fe5d3765bf424b0c; classtype:trojan-activity; sid:2046690; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_06_29, deployment Perimeter, confidence Medium, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_25, reviewed_at 2024_01_26; target:src_ip;)