alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"STEALER [PTsecurity] MetaStealer"; flow:established, to_client; content:"200"; http_stat_code; content:"Content-Length: 46"; http_header; content:"{|22|ok|22|:|22|"; http_server_body; depth:7; pcre:"/[a-fA-F0-9]{8}-(?:[a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}\x22\x7d\x0a/RQ"; isdataat:!1, relative; reference:url, https://app.any.run/tasks/a3bfd605-f3ef-43e4-85bc-7e909275a770; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10007504; rev:4;)