Indicator (IOC)
Essential information
- Value / Name
6ec815d9acfee40f23b3f748b469754cd0669eee- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 09/08/2023 23:44
- Valid until
- 11/11/2024 22:44
- Pattern type
- yara
- Published
- 20/12/2025 19:40
- Modified
- 21/12/2025 00:57
- Author / Source
- AlienVault
Description
No description.
Pattern
rule CISA_10454006_10 : trojan persists_after_system_reboot
{
meta:
Author = "CISA Code & Media Analysis"
Incident = "10454006"
Date = "2023-07-20"
Last_Modified = "20230726_1700"
Actor = "n/a"
Family = "n/a"
Capabilities = "persists-after-system-reboot"
Malware_Type = "trojan"
Tool_Type = "unknown"
Description = "Detects script samples known to start SEASPY after reboot"
SHA256 = "29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b"
strings:
$s1 = { 21 20 2d 64 20 24 7b 72 63 5f 62 61 73 65 7d 2f 72 63 24 7b 72 75 6e 6c 65 76 65 6c 7d 2e 64 }
$s2 = { 52 75 6e 6e 69 6e 67 20 73 63 72 69 70 74 73 20 66 6f 72 20 72 75 6e 6c 65 76 65 6c 20 24 72 75 6e 6c 65 76 65 6c }
$s3 = { 5b 20 2d 66 20 24 7b 70 72 65 76 5f 73 74 61 72 74 7d 20 5d 20 26 26 20 5b 20 21 20 2d 66 20 24 7b 73 74 6f 70 7d 20 5d 20 26 26 20 63 6f 6e 74 69 6e 75 65 }
$s4 = { 24 7b 69 7d 20 73 74 61 72 74 20 3e 3e 2f 72 6f 6f 74 2f 62 6f 6f 74 2e 6c 6f 67 20 32 3e 3e 2f 72 6f 6f 74 2f 62 6f 6f 74 2e 6c 6f 67 }
$s5 = { 2f 73 62 69 6e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6c 53 65 72 76 69 63 65 20 65 74 68 30 }
condition:
all of them
}
Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.