216.73.217.87

Indicator (IOC)

yara Revoked AlienVault · Published 21/12/2025 14:04 · Modified 20/02/2026 05:57

Essential information

Value / Name
376c809afd6aad06121e199e70477ad9ebaf0795
Confidence
100/100
Revoked
Yes
Valid from
05/05/2025 19:46
Valid until
20/02/2026 05:56
Pattern type
yara
Published
21/12/2025 14:04
Modified
20/02/2026 05:57
Author / Source
AlienVault

Description

Rule to detect More_eggs_JavaScript

Pattern

rule More_eggs_JS_BackDoor {   
      
   meta:   
     description = "Rule to detect More_eggs_JavaScript"   
     last_modified = "2025-04-24"   
     author = "The Arctic Wolf Labs team"   
     version = "1.0"       
      
   strings:   
     $a1 = "var rcon_max = hit_each * (restart_h * 60) / (hit_each * hit_each);"  ascii wide   
     $a2 = "function hit_Gate(URL, POSTdata, gResponse, method)"  ascii wide   
     $a3 = "function dExec(zURL, myKey, xPE, xEntryP)" ascii wide   
     $a4 = "var xCrypted = zzzz4(Rkey + keynow, not_unique) + keynow;" ascii wide   
     $a5 = "tmp = 3988292384 ^ tmp >>> 1;"   
     $a6 = "cNow !== 3377271179 && cNow !== 3106260013 &&"      
      
   condition:     
     filesize < 1MB and (2 of ($a*))    
   }

Labels / Tags

Labels: backdoor evasion javascript lnk files more_eggs polymorphism spear-phishing

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • Venom Spider
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·