216.73.217.80

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:40 · Modified 21/12/2025 01:00

Essential information

Value / Name
478b7f22b0faac82c10b733dbb71fa12c5e9fbad
Confidence
100/100
Revoked
Yes
Valid from
21/08/2023 16:41
Valid until
23/11/2024 15:41
Pattern type
yara
Published
20/12/2025 19:40
Modified
21/12/2025 01:00
Author / Source
AlienVault

Description

No description.

Pattern

rule CISA_10452108_02 : WHIRLPOOL backdoor communicates_with_c2 installs_other_components   
      
   				{   
      
   				meta:   
      
   				 Author = "CISA Code & Media Analysis"   
      
   				 Incident = "10452108"   
      
   				 Date = "2023-06-20"   
      
   				 Last_Modified = "20230804_1730"   
      
   				 Actor = "n/a"   
      
   				 Family = "WHIRLPOOL"   
      
   				 Capabilities = "communicates-with-c2 installs-other-components"   
      
   				 Malware_Type = "backdoor"   
      
   				 Tool_Type = "unknown"   
      
   				 Description = "Detects malicious Linux WHIRLPOOL samples"   
      
   				 SHA256_1 = "83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c"   
      
   				 SHA256_2 = "8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347"   
      
   				strings:   
      
   				 $s0 = { 65 72 72 6f 72 20 2d 31 20 65 78 69 74 }   
      
   				 $s1 = { 63 72 65 61 74 65 20 73 6f 63 6b 65 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }   
      
   				 $s2 = { c7 00 20 32 3e 26 66 c7 40 04 31 00 }   
      
   				 $a3 = { 70 6c 61 69 6e 5f 63 6f 6e 6e 65 63 74 }   
      
   				 $a4 = { 63 6f 6e 6e 65 63 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }   
      
   				 $a5 = { 73 73 6c 5f 63 6f 6e 6e 65 63 74 }   
      
   				condition:   
      
   				 uint32(0) == 0x464c457f and 4 of them   
      
   				}

Labels / Tags

Labels: backdoor cisa gnulinux malware seaspy seaspy backdoor whirlpool

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.