alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qwerty Stealer Data Exfiltration Attempt M1"; flow:established,to_server; flowbits:set,ET.qwerty_stealer.exfil; http.method; content:"POST"; http.content_type; bsize:40; content:"multipart/form-data|3b 20|boundary|3d 2d 2d 2d 2d|qwerty"; fast_pattern; http.user_agent; bsize:1; content:"-"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|filetoupload|22 3b 20|filename|3d 22|"; content:"|5c|AppData|5c|Roaming|5c|TestLog|5c 5c|"; within:60; content:".txt|22 0d 0a|"; within:50; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; within:50; content:"Content-Transfer-Encoding|3a 20|binary|0d 0a 0d 0a|"; within:50; content:"Computer Name|3a 20|"; within:50; content:"IP Address|3a 20|"; within:50; content:"User Name|3a 20|"; within:50; content:"Operating System Version|3a 20|"; within:50; reference:url,www.cyfirma.com/research/qwerty-information-stealer/; classtype:trojan-activity; sid:2055393; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_08_22, deployment Perimeter, deployment SSLDecrypt, malware_family Qwerty_Stealer, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_08_22; target:src_ip;)