alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [ANY.RUN] Stealc/Vidar Stealer TLS Certificate"; flow:established,to_client; tls.cert_subject; content:"CN="; pcre:"/^(?:25[0-5]|2[0-4]\d|[0-1]?\d{1,2})(?:\.(?:25[0-5]|2[0-4]\d|[0-1]?\d{1,2})){3}$/R"; content:"OU=privateIP"; content:"O=StaticIP"; fast_pattern; content:"L=NY"; content:"ST=NY"; content:"C=XX"; reference:md5,8db522805e565ad411c8b713dd5558a1; reference:url,app.any.run/tasks/f1d0c5fd-5e4e-49cc-984e-751cf7ea56fc; reference:url,community.emergingthreats.net/t/vidar-stealer/1106/; classtype:trojan-activity; sid:2049253; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_11_17, deployment Perimeter, malware_family Stealc, malware_family VidarStealer, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_28; target:dest_ip;)