216.73.217.80

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:47 · Modified 20/12/2025 19:47

Essential information

Value / Name
117a780708817e2eb92a517e2f6cb3d3dcd4d9be
Confidence
100/100
Revoked
Yes
Valid from
20/05/2022 10:48
Valid until
23/08/2023 10:48
Pattern type
yara
Published
20/12/2025 19:47
Modified
20/12/2025 19:47
Author / Source
AlienVault

Description

Detect the 64bit Loader DLL used by TwistedPanda

Pattern

rule apt_CN_TwistedPanda_64bit_Loader {   
      meta:   
         author = "Check Point Research"   
         description = "Detect the 64bit Loader DLL used by TwistedPanda"   
         date = "2022-04-14"   
         hash = "e0d4ef7190ff50e6ad2a2403c87cc37254498e8cc5a3b2b8798983b1b3cdc94f"   
            
      strings:   
         // 48 8D ?? ?? ?? ?? ?? ?? ??              lea     rdx, ds:2[rdx*2]   
         // 48 8B C1                                mov     rax, rcx   
         // 48 81 ?? ?? ?? ?? ??                    cmp     rdx, 1000h   
         // 72 ??                                   jb      short loc_7FFDF0BA1B48   
         $path_check = { 48 8D [6] 48 8B ?? 48 81 [5] 72 }   
      
         // 48 8B D0                                mov     rdx, rax        ; lpBuffer   
         // 41 B8 F0 16 00 00                       mov     r8d, 16F0h      ; nNumberOfBytesToRead   
         // 48 8B CF                                mov     rcx, rdi        ; hFile   
         // 48 8B D8                                mov     rbx, rax   
         // FF ?? ?? ?? ??                          call    cs:ReadFile   
         $shellcode_read = { 48 8B D0 41 B8 F0 16 00 00 48 8B CF 48 8B D8 FF}    
      
         // BA F0 16 00 00                          mov     edx, 16F0h      ; dwSize   
         // 44 8D 4E 40                             lea     r9d, [rsi+40h]  ; flProtect   
         // 33 C9                                   xor     ecx, ecx        ; lpAddress   
         // 41 B8 00 30 00 00                       mov     r8d, 3000h      ; flAllocationType   
         // FF ?? ?? ?? ?? ??                       call    cs:VirtualAlloc   
        $shellcode_allocate = { BA F0 16 00 00 44 8D 4E 40 33 C9 41 B8 00 30 00 00 FF }   
      
      condition:   
         // MZ signature at offset 0 and ...   
         uint16(0) == 0x5A4D and   
              
         // ... PE signature at offset stored in MZ header at 0x3C   
         uint32(uint32(0x3C)) == 0x00004550 and    
         filesize < 3000KB  and $path_check and $shellcode_allocate and $shellcode_read   
   }

Labels / Tags

Labels: hodur plugx spinner twisted panda

Marking (TLP)

TLP:CLEAR