216.73.217.80

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:40 · Modified 21/12/2025 00:57

Essential information

Value / Name
6ec815d9acfee40f23b3f748b469754cd0669eee
Confidence
100/100
Revoked
Yes
Valid from
09/08/2023 23:44
Valid until
11/11/2024 22:44
Pattern type
yara
Published
20/12/2025 19:40
Modified
21/12/2025 00:57
Author / Source
AlienVault

Description

No description.

Pattern

rule CISA_10454006_10 : trojan persists_after_system_reboot   
      
   				{   
      
   				meta:   
      
   				 Author = "CISA Code & Media Analysis"   
      
   				 Incident = "10454006"   
      
   				 Date = "2023-07-20"   
      
   				 Last_Modified = "20230726_1700"   
      
   				 Actor = "n/a"   
      
   				 Family = "n/a"   
      
   				 Capabilities = "persists-after-system-reboot"   
      
   				 Malware_Type = "trojan"   
      
   				 Tool_Type = "unknown"   
      
   				 Description = "Detects script samples known to start SEASPY after reboot"   
      
   				 SHA256 = "29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b"   
      
   				strings:   
      
   				 $s1 = { 21 20 2d 64 20 24 7b 72 63 5f 62 61 73 65 7d 2f 72 63 24 7b 72 75 6e 6c 65 76 65 6c 7d 2e 64 }   
      
   				 $s2 = { 52 75 6e 6e 69 6e 67 20 73 63 72 69 70 74 73 20 66 6f 72 20 72 75 6e 6c 65 76 65 6c 20 24 72 75 6e 6c 65 76 65 6c }   
      
   				 $s3 = { 5b 20 2d 66 20 24 7b 70 72 65 76 5f 73 74 61 72 74 7d 20 5d 20 26 26 20 5b 20 21 20 2d 66 20 24 7b 73 74 6f 70 7d 20 5d 20 26 26 20 63 6f 6e 74 69 6e 75 65 }   
      
   				 $s4 = { 24 7b 69 7d 20 73 74 61 72 74 20 3e 3e 2f 72 6f 6f 74 2f 62 6f 6f 74 2e 6c 6f 67 20 32 3e 3e 2f 72 6f 6f 74 2f 62 6f 6f 74 2e 6c 6f 67 }   
      
   				 $s5 = { 2f 73 62 69 6e 2f 42 61 72 72 61 63 75 64 61 4d 61 69 6c 53 65 72 76 69 63 65 20 65 74 68 30 }   
      
   				condition:   
      
   				 all of them   
      
   				}

Labels / Tags

Labels: cisa gnulinux malware seaspy seaspy backdoor whirlpool

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.