216.73.217.22

Indicator (IOC)

yara Revoked AlienVault · Published 21/12/2025 14:04 · Modified 20/02/2026 05:57

Essential information

Value / Name
d68d0668ee588e9229e7c1eb20da20b7b04e15c3
Confidence
100/100
Revoked
Yes
Valid from
05/05/2025 19:46
Valid until
20/02/2026 05:56
Pattern type
yara
Published
21/12/2025 14:04
Modified
20/02/2026 05:57
Author / Source
AlienVault

Description

Rule to detect More_eggs_Dropper

Pattern

rule More_eggs_Dropper {     
      
   meta:   
           description = "Rule to detect More_eggs_Dropper"   
           last_modified = "2025-04-24"   
           author = "The Arctic Wolf Labs team"   
           version = "1.0"   
           sha256 = "f7a405795f11421f0996be0d0a12da743cc5aaf65f79e0b063be6965c8fb8016"          
      
   strings:   
           $a1 = "Authorities32" ascii wide   
           $a2 = "Guards128" ascii wide   
           $a3 = "Implications256" ascii wide   
           $a4 = "Monster32" ascii wide   
           $a5 = "Sphere256" ascii wide             
      
   condition:   
   uint16(0) == 0x5A4D and filesize < 1MB and ((all of ($a*)))   
   }

Labels / Tags

Labels: backdoor evasion javascript lnk files more_eggs polymorphism spear-phishing

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • Venom Spider
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·