alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"REMOTE [PTsecurity] PhantomRAT (APT PhantomCore)"; flow:established, to_server; stream_size:server, =, 1; stream_size:client, >, 260; dsize:190<>512; content:"{|22|Uuid|22|"; distance:0; content:"|22|Hostname|22|"; distance:0; content:"|22|Username|22|"; distance:0; content:"|22|LocalIp|22|"; distance:0; content:"|22|PublicIp|22|"; distance:0; content:"|22|Os|22|"; distance:0; content:"}"; endswith; reference:url, https://www.virustotal.com/gui/file/5d924a9ab2774120c4d45a386272287997fd7e6708be47fb93a4cad271f32a03/detection; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10011867; rev:2;)