alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA427 Outlook Stealer Loader"; flow:established,to_client; http.response_body; content:"CreateObject|28 22|Scripting|2e|FileSystemObject|22 29|"; content:"CreateObject|28 22|WScript|2e|Shell|22 29|"; content:"Function|20|Stream|5f|BinaryToString|28|Binary|29|"; content:"Const|20|adTypeText|20 3d 20|2"; content:"Set|20|BinaryStream|20 3d 20|CreateObject|28 22|ADODB|2e|Stream|22 29|"; fast_pattern; content:"|27|Specify|20|stream|20|type|20 2d 20|we|20|want|20|To|20|save|20|binary|20|data|2e|"; content:"CreateObject|28 22|Msxml2|2e|DOMDocument|2e|3|2e|0|22 29|"; content:"SpecialFolders|28 22|appdata|22 29|"; content:"BinaryStream|2e|CharSet|20 3d 20 22|Windows|2d|1252|22|"; reference:url,twitter.com/asdasd13asbz/status/1808047304714473623; classtype:trojan-activity; sid:2054223; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_07_02, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_02;)