alert http any any -> any any (msg:"STEALER [PTsecurity] ZZSteal"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/upwawsfrg.php"; isdataat:!1, relative; http.cookie; content:"SESSION="; depth:8; http.header; content:"Content-Type: application/x-www-form-urlencoded"; content:"User-Agent: Mozilla / 5.0(Windows NT 10.0|3b| Win64|3b| x64|3b| rv: 108.0) Gecko / 20100101 Firefox / 108.0"; fast_pattern; content:!"Referer"; http.request_body; content:"Name="; depth:5; content:"&dataFile="; distance:5; within:30; reference:url, https://tria.ge/240403-pm36fsda7z/behavioral2; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10011385; rev:2;)