alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Angry Stealer Data Exfiltration Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bot"; startswith; content:"/sendDocument?chat_id="; within:100; content:"&caption="; within:40; content:"Angry|20|Stealer"; fast_pattern; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|document|22 3b 20|filename|3d 22|"; pcre:"/\x5cAppData\x5cLocal\x2f\x2f[A-Z]{2}\x5b\d{2}-\d{2}-\d{4}\x5d-\d{2,3}\x2e\d{2,3}\x2e\d{2,3}\x2e\d{2,3}-[A-Za-z]{9}\x2ezip\x22/R"; content:"44_23/Information.txt"; within:200; reference:url,www.cyfirma.com/research/a-comprehensive-analysis-of-angry-stealer-rage-stealer-in-a-new-disguise/; reference:md5,56a579cb88eb4bb93a45b163ab9825d8; classtype:trojan-activity; sid:2055724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_09_04, deployment Perimeter, deployment SSLDecrypt, malware_family Angry_Stealer, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_09_04; target:src_ip;)