The rule for exfiltration could be like this:
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration";
flow: established, to_server;
http.method;content: "POST";
http.uri;content: ".php"; endswith;
http.request_body;
content: "------";
content: "|0d 0a|Content-Disposition: form-data|3b| name=|22|0|22 0d 0a|Content-Type: text/plain|0d0a 0d0a|"; distance: 34; within: 72;
content: "Content-Disposition: form-data|3b| name=|22|"; distance: 0;
pcre: "/^([a-f0-9]{40})\x22\x3b\x20filename=\x22\1\x22/R";
content: "|0d 0a|Content-Type: application/octet-stream|0d 0a 0d 0a|UEsD"; within: 48; http.header;
content:"Expect|3a 20|100|2d|continue";
http.header_names;
content: "|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a 0d 0a|";
content:!"Referer|0d 0a|";
reference: md5,ec01cff4cf0004f1b6c934d7263f5023;
reference: url,app.any.run/tasks/79b78536-75bf-43b4-99d6-3438ba41e40c;
classtype: trojan-activity;
sid:1; rev:1;
metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_09_20, deployment Perimeter, former_category MALWARE, malware_family DCRat, confidence High, signature_severity Critical, updated_at 2023_09_20;)
Best regards, Jane ⋆⭒˚。⋆