216.73.216.233

Indicator (IOC)

yara AlienVault · Published 21/12/2025 20:35 · Modified 21/12/2025 20:35

Essential information

Value / Name
09756286dc08a9e1bb072687317af0ffeae39df8
Confidence
100/100
Revoked
No
Valid from
18/11/2025 03:23
Valid until
04/09/2026 15:32
Pattern type
yara
Published
21/12/2025 20:35
Modified
21/12/2025 20:35
Author / Source
AlienVault

Description

No description.

Pattern

import "pe"
rule M_APT_Utility_DCSYNCER_SLICK_1 {   
   	meta:   
   		author = "Google Threat Intelligence Group (GTIG)"   
   		md5 = "10f16991665df69d1ccd5187e027cf3d"   
   	strings:   
   		$ = { 48 89 84 24 ?? 01 00 00 C7 84 24 ?? 01 00 00 30 80 28 00 C7 84 24 ?? 01 00 00 E8 03 00 00 48 C7 84 24 ?? 01 00 00 00 00 A0 00 BA ?? 00 00 00 8D 4A ?? FF 15 ?? ?? 01 00 48 89 84 24 ?? 01 00 00 C7 00 01 00 00 00 48 8B 84 24 ?? 01 00 00 44 89 ?? 04 48 8B 84 24 ?? 01 00 00 C7 40 08 ?? 00 00 00 41 8B ?? }   
   		$ = "\\LOG.txt" ascii wide   
   		$ = "%ws_%d:%d:" ascii wide fullword   
   		$ = "%ws:%d:" ascii wide fullword   
   		$ = "::::" ascii wide fullword   
   		$ = "%ws_%d:%d::" ascii wide fullword   
   		$ = "%ws:%d::" ascii wide fullword   
   	condition:   
   		pe.is_pe and all of them   
   }

Labels / Tags

Labels: aerospace crashpad custom malware dcsyncer.slick deeproot defense espionage ghostline lateral movement lightrail minibike phishing pollblend privilege escalation sightgrab third-party compromise trusttrap twostroke

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • UNC1549
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·