alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected SombRAT DNS Activity (TXT)"; pcre:"/\x1c(?:[a-z0-9]{28})[^\r\n]+(?:\x03(?:net|com)|\x02in)/"; content:"|00 10 00 01|"; fast_pattern; endswith; threshold:type both, track by_src,count 10, seconds 300; reference:url,www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-126a; reference:url,blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced; reference:md5,05e133f34e44d75e596811bffba24156; classtype:trojan-activity; sid:2032942; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_05_11;)