alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"🐾 - 🚨 Suspicious TLS Certificate - Possible Darkvision RAT 🐀 C2 Server"; flow:to_client, stateless; tls.cert_subject; content:"C=US"; nocase; content:"ST=Someprovince"; content:"L=Sometown"; content:"O=none"; content:"OU=none"; content:"CN=localhost"; content:"emailAddress=webmaster@localhost"; tls.cert_issuer; content:"C=US"; nocase; content:"ST=Someprovince"; content:"L=Sometown"; content:"O=none"; content:"OU=none"; content:"CN=localhost"; content:"emailAddress=webmaster@localhost"; reference:url,https://www.pcrisk.com/removal-guides/26678-darkvision-rat; reference:url,https://bazaar.abuse.ch/sample/56cb118f4caa1f3d0461faba24d9cb575843177b2a756622533ba00dbac10a2a/; reference:url,https://app.any.run/tasks/98e269e7-68e9-40b1-89e7-90745a119a0a/; reference:url,https://www.virustotal.com/gui/domain/pylox.petchx.com/relations; metadata:created_at 2023_05_30, updated_at 2023_05_30; sid:3300690; rev:1; classtype:trojan-activity;)