Essential information

Value / Name

f38bba949956ef527a86f89042a81a2f07931ce6

Confidence

100/100

Revoked

No

Valid from

18/11/2025 03:23

Valid until

04/09/2026 15:32

Pattern type

yara

Published

21/12/2025 20:35

Modified

21/12/2025 20:35

Author / Source

AlienVault

Description

No description.

Pattern

import "pe"
rule M_APT_Utility_CRASHPAD_1 {   
   	meta:   
   		author = "Google Threat Intelligence Group (GTIG)"   
   		md5 = "b2bd275f97cb95c7399065b57f90bb6c"   
   	strings:   
   		$ = "[-] Loo ror: %u" ascii fullword   
   		$ = "[-] Adj r: %u" ascii fullword   
   		$ = "[-] Th ge. " ascii fullword   
   		$ = "[+] O s!" ascii fullword   
   		$ = "[-] O C: %i" ascii fullword   
   		$ = "[-] O E: %i" ascii fullword   
   		$ = "[+] Op cess!" ascii fullword   
   		$ = "[-] Op Code: %i" ascii fullword   
   		$ = "[-] O Error: %i" ascii fullword   
   		$ = "[+] Im su!" ascii fullword   
   		$ = "[+] R" ascii fullword   
   		$ = "[-] Impe Code: %i" ascii fullword   
   		$ = "[-] Imo: %i" ascii fullword   
   		$ = "[+] Du success!" ascii fullword   
   		$ = "[-] Du Code: %i" ascii fullword   
   		$ = "[-] Du Error: %i" ascii fullword   
   		$ = "[+] Dec Suc." ascii fullword   
   		$ = "%02X" ascii fullword   
   		$ = "Decryption failed" ascii fullword   
   		$ = "config.txt"   
   		$ = "crash.log"   
   		$ = "[+] e wt!" ascii fullword   
   		$ = "[+] p %d!" ascii fullword   
   		$ = "[+] e!" ascii fullword   
   	condition:   
   		pe.is_pe and 15 of them   
   }

Labels / Tags

Labels: aerospace crashpad custom malware dcsyncer.slick deeproot defense espionage ghostline lateral movement lightrail minibike phishing pollblend privilege escalation sightgrab third-party compromise trusttrap twostroke

Marking (TLP)

TLP:CLEAR