Indicator (IOC)
Essential information
- Value / Name
Malicious_Malware_IOCs- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 29/01/2025 13:35
- Valid until
- 16/11/2025 00:45
- Pattern type
- yara
- Published
- 21/12/2025 10:22
- Modified
- 21/12/2025 10:23
- Author / Source
- AlienVault
Description
Malicious_Malware_IOCs
Detects suspicious samples referencing known malicious infrastructure and strings
Pattern
rule Malicious_Malware_IOCs
{
meta:
description = "Detects suspicious samples referencing known malicious infrastructure and strings"
strings:
// --- IP addresses (as ASCII) ---
$ip1 = "89.190.156.145"
$ip2 = "91.92.243.233"
$ip3 = "213.130.144.69"
$ip4 = "154.216.16.109"
$ip5 = "193.200.78.33"
$ip6 = "173.239.233.47"
$ip7 = "141.98.11.67"
$ip8 = "141.98.11.175"
$ip9 = "173.239.233.48"
$ip10 = "173.239.233.46"
// --- Domain names (as ASCII) ---
$dom1 = "dogmuncher.xyz"
$dom2 = "cardiacpure.ru"
$dom3 = "fuerer-net.ru"
$dom4 = "eye-network.ru"
$dom5 = "intenseapi.com"
$dom6 = "cloudboats.vip"
$dom7 = "theeyefirewall.su"
$dom8 = "awaken-network.net"
// --- Unique strings from malware analysis ---
$str_locker_killed = "[locker] killed process: %s"
$str_killer_node = "[killer/node] killed process: %s"
$str_killer_cpu = "[killer/cpu] killed process: %s"
$str_killer_cmd = "[killer/cmd] killed process: %s"
$str_killer_stat = "[killer/stat] killed process: %s"
$str_killer_exe = "[killer/exe] killed process: %s"
$str_killer_maps = "[killer/maps] killed process: %s"
condition:
any of ($ip*) or // Match if any malicious IP is found in ASCII form
any of ($dom*) or // Match if any malicious domain is found in ASCII form
any of ($str_killer*) or ($str_locker_killed)
}Labels / Tags
Marking (TLP)
TLP:CLEAR