216.73.216.36

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:33 · Modified 20/12/2025 20:08

Essential information

Value / Name
deadbolt_uncompressed
Confidence
100/100
Revoked
Yes
Valid from
06/06/2022 16:34
Valid until
09/09/2023 16:34
Pattern type
yara
Published
20/12/2025 19:33
Modified
20/12/2025 20:08
Author / Source
AlienVault

Description

deadbolt_uncompressed Looks for configuration fields in the JSON parsing code

Pattern

import "elf"

rule deadbolt_uncompressed : ransomware {
    meta:
        description = "Looks for configuration fields in the JSON parsing code"
        author = "Trend Micro Research"
        date = "2022-03-23"
        hash = "444e537f86cbeeea5a4fcf94c485cc9d286de0ccd91718362cecf415bf362bcf"
        hash = "80986541450b55c0352beb13b760bbd7f561886379096cf0ad09381c9e09fe5c"
        hash = "e16dc8f02d6106c012f8fef2df8674907556427d43caf5b8531e750cf3aeed77"

    strings:
        $= "json:\"key\""
        $= "json:\"cgi_path\""
        $= "json:\"client_id\""
        $= "json:\"vendor_name\""
        $= "json:\"vendor_email\""
        $= "json:\"vendor_amount\""
        $= "json:\"payment_amount\""
        $= "json:\"vendor_address\""
        $= "json:\"master_key_hash\""
        $= "json:\"payment_address\""
        $= "json:\"vendor_amount_full\""

    condition:
        elf.type == elf.ET_EXEC
        and all of them
}

Labels / Tags

Labels: asustor deadbolt qnap ransomware

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.