alert http any any -> any any (msg:"REMOTE [PTsecurity] PhantomRAT (APT PhantomCore)"; flow:established, to_server; http.method; content:"POST"; http.header; content:"User-Agent: Boost.Beast"; content:"Content-Type: application/json"; content:!"Referer"; http.request_body; content:"{|22|BuildName|22|:|22|"; startswith; content:"|22|Domain|22|:"; distance:0; content:"|22|Hostname|22|:"; distance:0; content:"|22|Os|22|:"; distance:0; content:"|22|Username|22|:"; distance:0; content:"|22|Uuid|22|:"; distance:0; reference:url, https://www.virustotal.com/gui/file/dca85252d885882fb5eb38d21d48c44012f769a631114ea0c4bfc0f423d82c60/detection; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10011947; rev:1;)