Back to Rule

Rule History

SID: 2029794 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 2Apr 2, 2020, 12:00 PM

ET MALWARE Suspected Stitch Variant Backdoor CnC

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Stitch Variant Backdoor CnC"; flow:established,to_server; content:"|00 00 00 0f|stitch626hctits"; fast_pattern; content:!"Referer|3a 20|"; content:!"User-Agent|3a 20|"; content:!"Connection|3a 20|"; content:!"Host|3a 20|"; content:!"Keep-Alive:|3a 20|"; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; reference:md5,ec993ff561cbc175953502452bfa554a; classtype:command-and-control; sid:2029794; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, malware_family Stitch, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_09_09;)

Apr 2, 2020, 12:00 PM

Sep 9, 2021, 12:00 PM

Sep 21, 2024, 3:00 AM

Sep 19, 2025, 10:35 PM

rules/emerging-malware.rules