216.73.216.233

Indicator (IOC)

yara Revoked AlienVault · Published 21/12/2025 01:16 · Modified 21/12/2025 01:16

Essential information

Value / Name
c5950c3f5d221bc3262607aedc1f83376f750ce5
Confidence
100/100
Revoked
Yes
Valid from
29/08/2023 16:10
Valid until
01/12/2024 15:10
Pattern type
yara
Published
21/12/2025 01:16
Modified
21/12/2025 01:16
Author / Source
AlienVault

Description

No description.

Pattern

rule M_APT_Launcher_FOXGLOVE_1 {   
   meta:   
   author = "Mandiant"   
   md5 = "c9ae8bfd08f57d955465f23a5f1c09a4"   
   strings:   
   $str1 = { 48 ?? 66 6F 78 64 6F 6F 72 5F 48 89 ?? C7 ?? ?? 73 68 65 6C 66 C7 ?? ?? 6C 00 }   
   $str2 = { 48 ?? 2F 75 73 72 2F 73 68 61 48 ?? 72 65 2F 66 6F 78 64 6F 48 89 ?? 48 89 ?? ?? 48 ?? 6F 72 2F 66 6F 78 64 6F 48 ?? 6F 72 5F 73 68 65 6C 6C }   
   $str3 = "shell"   
   $str4 = "start.c"   
   $str5 = "base64en"   
   $str6 = "base64de"   
   $str7 = "-r"   
   $str8 = "-s"   
   $str9 = "-p"   
   $str10 = "-t"   
   condition:   
   uint32(0) == 0x464c457f and all of them   
   }

Labels / Tags

Labels: barracuda castletap cve20232868 depthcharge driedmoat foxglove foxtrot ghostemperor skipjack unc3886 unc4841

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • UNC4841
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·