216.73.217.22

Indicator (IOC)

yara Revoked AlienVault · Published 21/12/2025 01:16 · Modified 21/12/2025 01:16

Essential information

Value / Name
675e640d82635c8c93f147bd69d1a2c1195acf1f
Confidence
100/100
Revoked
Yes
Valid from
29/08/2023 16:10
Valid until
01/12/2024 15:10
Pattern type
yara
Published
21/12/2025 01:16
Modified
21/12/2025 01:16
Author / Source
AlienVault

Description

No description.

Pattern

rule M_APT_Backdoor_DEPTHCHARGE_1 {   
   meta:   
   author = "Mandiant"   
   md5 = "b745626b36b841ed03eddfb08e6bb061"   
   strings:   
   $backdoor_command_main = { 65 63 68 6F 20 2D 6E 20 27 25 73 27 20 7C (20 62 61 73 65 36 34 20 2D 64 20 7C 20 | 20 ) 6F 70 65 6E 73 73 6C 20 61 65 73 2D 32 35 36 2D 63 62 63 20 2D 64 20 2D 4B 20 [24-124] 20 32 3e 2f 64 65 76 2f 6e 75 6c 6c 20 7c 20 73 68 }   
   $e1 = "welcomeflag" fullword   
   $e2 = "welcomebuffer" fullword   
   $e3 = "launch_backdoor" fullword   
   $e4 = "backdoor_initalize" fullword   
   $s1 = "BSMTP_ID" fullword   
   $s2 = "result %d" fullword   
   $s3 = "ehlo" fullword   
   condition:   
   uint32(0)==0x464c457f and $backdoor_command_main and 4 of them   
   }

Labels / Tags

Labels: barracuda castletap cve20232868 depthcharge driedmoat foxglove foxtrot ghostemperor skipjack unc3886 unc4841

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • UNC4841
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·