216.73.216.233

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 23:18 · Modified 20/12/2025 23:18

Essential information

Value / Name
2e4391dba8410f2c72d1bc0ed0180d4b5c0ac316
Confidence
100/100
Revoked
Yes
Valid from
09/01/2023 21:02
Valid until
13/04/2024 22:02
Pattern type
yara
Published
20/12/2025 23:18
Modified
20/12/2025 23:18
Author / Source
AlienVault

Description

No description.

Pattern

rule M_APT_Kopiluwak_Recon_1   
   {   
    meta:   
    author = "Mandiant"   
    strings:   
    $rc4_1 = ".charCodeAt(i %"   
    $rc4_2 = ".length)) % 256"   
    $b64_1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"   
    $b64_3 = ".charAt(parseInt("   
    $recon_1 = "WScript.CreateObject"   
    $recon_2 = ".Run("   
    $Arguments = "WScript.Arguments"   
    condition:   
    ($rc4_1 and $rc4_2 and $b64_1) and ($Arguments or ($b64_3 and $recon_1 and $recon_2))   
   }

Labels / Tags

Labels: andromeda c2 data theft kopilowak multi-stage quietcanary reconnaissance turla usb spreading

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • Turla, UNC4210
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·