alert http $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Raccoon Stealer V2 (2023) 💀 DLL download from C2 - Leak 🚱"; flow:to_client, stateless; http.server; content:"Werkzeug/"; nocase; content:"Python/"; nocase; http.header; content:"Content-Disposition"; fast_pattern; nocase; content:"inline"; nocase; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fileext:"dll"; reference:url,https://cyberint.com/blog/financial-services/raccoon-stealer/; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon; reference:url,https://twitter.com/g0njxa/status/1670824965438832643; target:dest_ip; metadata:affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_08_16, updated_at 2024_02_18; sid:3300703; rev:2; classtype:credential-theft;)