Versions (3)
Version DetailsCurrent
Rev: 5 • Nov 9, 2020, 12:00 PMET MALWARE Suspected Snugy DNS Backdoor Initial Beacon
alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon"; content:"|00 00 01 00 01|"; endswith; dns.query; bsize:>19; content:"646"; offset:2; depth:5; fast_pattern; content:"|2e|"; offset:8; depth:1; pcre:"/^[qbedm](?:[tmp]646\d[a-zA-Z]{2}|[dhz][a-zA-Z]{2}646\d)\./"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; reference:md5,162959ebfd839229969d5e830c7d1dbc; classtype:command-and-control; sid:2031193; rev:5; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, confidence Medium, signature_severity Major, tag c2, updated_at 2023_03_29, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
Nov 9, 2020, 12:00 PM
Mar 29, 2023, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-malware.rules