216.73.216.233

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 22:57 · Modified 20/12/2025 22:57

Essential information

Value / Name
636742fee7f44eee3b90d32fbf92c4070d657e7f
Confidence
100/100
Revoked
Yes
Valid from
22/12/2022 22:18
Valid until
26/03/2024 22:18
Pattern type
yara
Published
20/12/2025 22:57
Modified
20/12/2025 22:57
Author / Source
AlienVault

Description

Detect a linux ransomware variant dubbed as RedAlert

Pattern

rule MAL_Lin_Ransomware_RedAlert {   
     meta:   
       author = "Antonio Cocomazzi @ SentinelOne"   
       description = "Detect a linux ransomware variant dubbed as RedAlert"   
       date = "2022-11-28"   
       reference = "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development"   
       hash = "da6a7e9d39f6a9c802bbd1ce60909de2b6e2a2aa"   
      
     strings:   
       $code1 = {BA 48 00 00 00 BE [4] BF [4] E8 [4] BA 48 00 00 00 BE [4] BF [4] E8}   
       $code2 = {BF [4] 66 [6] 6B 06 E8}   
       $code3 = {B9 02 00 00 00 [0-12] BE 14 00 00 00 BF}   
       $code4 = {49 81 FE 00 00 50 00 [0-12] 0F}   
       $code5 = {49 81 FE 00 00 40 06 [0-12] 0F}   
      
     condition:   
       uint32(0) == 0x464c457f and all of them   
   }

Labels / Tags

Labels: chily esxi servers parallel encryption polyvice raas ransomware redalert sunnyday vice society zeppelin

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • Vice Society
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·