Indicator (IOC)
Essential information
- Value / Name
M_Credtheft_DRYHOOK_1- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 09/01/2025 10:03
- Valid until
- 26/10/2025 21:12
- Pattern type
- yara
- Published
- 21/12/2025 08:44
- Modified
- 21/12/2025 08:44
- Author / Source
- AlienVault
Description
M_Credtheft_DRYHOOK_1
Hunting rule looking for strings identified in the DRYHOOK credential stealer
Pattern
rule M_Credtheft_DRYHOOK_1 {
meta:
author = "Mandiant"
description = "Hunting rule looking for strings identified in the DRYHOOK credential stealer"
md5 = "61bb586dc4e047ab081ef6ca65684e48"
strings:
$str1 = "/home/perl/DSAuth.pm"
$str2 = "replace_content"
$str3 = "replace1_content"
$str4 = "replace2_content"
$str5 = "pkill cgi-server"
$str6 = "setPrompt ="
$str7 = "runSignin = \\*DSAuthc::RealmSignin_runSignin"
$str8 = "/bin/mount -o remount,rw / > /dev/null 2>&1"
$str9 = {64 61 74 61 20 3d 20 72 65 2e 73 75 62 28 62 22
5c 2a 72 75 6e 53 69 67 6e 69 6e 45 42 53 4c 20 3d 2e 2a 3b 22 2c
62 61 73 65 36 34 2e 62 36 34 64 65 63 6f 64 65 28 72 65 70 6c 61
63 65 32 5f 63 6f 6e 74 65 6e 74 2e 65 6e 63 6f 64 65 28 29 29 2e 64
65 63 6f 64 65 28 29 2e 65 6e 63 6f 64 65 28 22 75 6e 69 63 6f 64 65
5f 65 73 63 61 70 65 22 29 2c 64 61 74 61 29}
condition:
8 of them and filesize < 20KB
}Labels / Tags
Marking (TLP)
TLP:CLEAR