alert http any any -> any any (msg:"STEALER [PTsecurity] XSSLite/RADX RAT Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.header; content:"Content-Encoding|3a| gzip"; content:"Expect|3a| 100-continue"; content:!"Referer"; http.request_body; content:"|7b 0d 0a 20 20 22|additionalInfo|22|"; startswith; fast_pattern; content:"|22|ip|22|"; distance:0; content:"|22|country|22|"; distance:0; content:"|22|DesktopFiles|22|"; distance:0; reference:url, www.virustotal.com/gui/file/a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6/detection; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10012769; rev:2;)