Indicator (IOC)
Essential information
- Value / Name
948a10939b9a6e3672cd37cb062c57d2de0b20f2- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 08/09/2023 23:46
- Valid until
- 11/12/2024 22:46
- Pattern type
- yara
- Published
- 20/12/2025 19:40
- Modified
- 21/12/2025 01:07
- Author / Source
- AlienVault
Description
Detects SALTWATER samples
Pattern
rule CISA_10454006_13 : SALTWATER backdoor exploit_kit communicates_with_c2 determines_c2_server hides_executing_code exploitation
{
meta:
author = "CISA Code & Media Analysis"
incident = "10454006"
date = "2023-08-10"
last_modified = "20230905_1500"
actor = "n/a"
family = "SALTWATER"
capabilities = "communicates-with-c2 determines-c2-server hides-executing-code"
malware_type = "backdoor exploit-kit"
tool_type = "exploitation"
description = "Detects SALTWATER samples"
sha256 = "caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc"
strings:
$s1 = { 70 74 68 72 65 61 64 5f 63 72 65 61 74 65 }
$s2 = { 67 65 74 68 6f 73 74 62 79 6e 61 6d 65 }
$s3 = { 54 72 61 6d 70 6f 6c 69 6e 65 }
$s4 = { 64 73 65 6c 64 73 }
$s5 = { 25 30 38 78 20 28 25 30 32 64 29 20 25 2d 32 34 73 20 25 73 25 73 25 73 0a }
$s6 = { 45 6e 74 65 72 20 6f 75 73 63 64 6f 6f 65 7c 70 72 65 64 61 72 65 28 25 70 2c 20 25 70 2c 20 25 70 29 }
$s7 = { 45 6e 74 65 72 20 61 75 74 63 63 6f 6f 71 38 63 72 65 61 74 65 }
$s8 = { 74 6e 6f 72 6f 74 65 63 74 6a 73 65 6d 6f 72 79 }
$s9 = { 56 55 43 4f 4d 49 53 53 }
$s10 = { 56 43 4f 4d 49 53 53 }
$s11 = { 55 43 4f 4d 49 53 44 }
$s12 = { 41 45 53 4b 45 59 47 45 4e 41 53 53 49 53 54 }
$s13 = { 46 55 43 4f 4d 50 50 }
$s14 = { 55 43 4f 4d 49 53 53 }
condition:
uint16(0) == 0x457f and filesize < 1800KB and 8 of them
}Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.