Hi I want to suggest one more Signature
alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2";flow: established, to_server;stream_size: server, =, 1;content: "ewogICAgIkdyYWJiZXIiOiBbCiAg"; depth: 28; classtype: credential-theft;classtype: trojan-activity; reference: md5,d1c95dfd50744b0133abd72801b8a0f3; reference: url,community.emergingthreats.net/t/medusa-stealer; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 4664493, malware_family Meduza, tag stealer, created_at 2024_02_13; sid: 1; rev: 1;)
and editing the message of an existing one
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1"; flow:established,to_server; stream_size:server,=,1; content:"ewogICAgImNocm9taXVtX2Jyb3dzZXJzIjog"; startswith; fast_pattern; reference:md5,6c2283c27a3ac1164aad01f982f17db3; reference:url,twitter.com/Jane_0sint/status/1670048531665518592; reference:url,app.any.run/tasks/cf27f0ec-1be0-4353-82fc-d392eaa8b24b; classtype:trojan-activity; sid:2046303; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_06_20, deployment Perimeter, former_category MALWARE, malware_family Meduza, confidence High, signature_severity Critical, updated_at 2023_06_29;)
… and one more generic rule
alert tcp any any -> any 15666 (msg: "ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)";flow: established, to_server;stream_size: server, =, 1;content: "ewogICAg";depth: 8; classtype: credential-theft;classtype: trojan-activity; reference: md5,d1c95dfd50744b0133abd72801b8a0f3; reference: url,community.emergingthreats.net/t/medusa-stealer; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 4664493, malware_family Meduza, tag stealer, created_at 2024_02_13; sid: 2; rev: 1;)
✧˚ ༘ ⋆。˚
Jane