alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Stealc Infostealer establishing connection to C2"; flow:to_server, established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; pcre:"/boundary=----[A-Z]{20}$/"; http.request_body; pcre:"/------[A-Z]{20}/"; content:"|43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22|"; fast_pattern; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc; reference:url,https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/; reference:url,https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/; target:src_ip; metadata:attack_target Client_Endpoint, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1071.001, mitre_technique_name Application_Layer_Protocol_Web_Protocols, former_category MALWARE, malware_family Stealc, created_at 2024_07_14, updated_at 2024_07_14; sid:3321293; rev:10; classtype:command-and-control;)