alert http $EXTERNAL_NET any -> any any (msg:"🐾 - 🚨 Raccoon Stealer V2 (2023) 💀 C2 requesting informations to Windows 🪟 computer - Leak 🚱"; flow:to_client, stateless; http.server; content:"Werkzeug/"; nocase; content:"Python/"; nocase; http.response_body; content:"libs_"; content:".dll"; content:"ews_"; content:"wlts_"; content:"sstmnfo_System Info.txt:"; fast_pattern; content:"xtntns_"; content:"tlgrm_"; content:"dscrd_"; content:"sgnl_"; content:"grbr_"; content:"token:"; pcre:"/token:[a-f0-9]{32}/"; reference:url,https://cyberint.com/blog/financial-services/raccoon-stealer/; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon; reference:url,https://twitter.com/g0njxa/status/1670824965438832643; target:dest_ip; metadata:affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_08_16, updated_at 2024_02_18; sid:3300704; rev:2; classtype:credential-theft;)