216.73.216.226

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 21:44 · Modified 20/12/2025 21:44

Essential information

Value / Name
b5be237e979ba5cef73f8ccd39b58c76236e6b52
Confidence
100/100
Revoked
Yes
Valid from
22/07/2022 14:00
Valid until
25/10/2023 14:00
Pattern type
yara
Published
20/12/2025 21:44
Modified
20/12/2025 21:44
Author / Source
AlienVault

Description

Detects strings found in modified MICROBACKDOOR samples with screenshot capability

Pattern

rule MTI_Hunt_APT_Modified_MICROBACKDOOR_Strings    
   {    
    meta:   description = "Detects strings found in modified MICROBACKDOOR samples with screenshot capability"    
     disclaimer = "This rule is meant for hunting and is not tested to run in a production environment"  strings:    
      $a = "ERROR: Unknown command"    
      $b = "ProxyServer"    
      $c = "screenshot"    
      $d = "uninst"    
      $e = "shell"    
      $f = "client.dll"    
      $g = "Timeout occured"    
    condition:    
      all of them    
   }

Labels / Tags

Labels: apt geopolitical conflict ghostwriter ukraine unc1151 unc2589

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • UNC1151
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·