alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] LUMAR Stealer Check-In via TCP"; flow:established,to_server; stream_size:server, =, 1; dsize:1079; pcre:"/^(?:[0-9a-f]{8})-(?:[0-9a-f]{4})-(?:[0-9a-f]{4})-(?:[0-9a-f]{4})-(?:[0-9a-f]{12})\x00/"; content:"|00|LMR-"; offset:36; depth:5; fast_pattern; pcre:"/^(?:\d{3})\x2d(?:\d{3})/R"; reference:md5,a39a78f6141c7aea6555b61ad6d44b94; reference:url,app.any.run/tasks/7bcdd299-9044-47f2-b8a0-9133e2e7728c; reference:url,community.emergingthreats.net/t/poverty-stealer/; classtype:command-and-control; sid:2047066; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_08_07, deployment Perimeter, malware_family LUMAR, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_28, reviewed_at 2024_01_26; target:src_ip;)