216.73.216.36

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:38 · Modified 20/12/2025 23:34

Essential information

Value / Name
955f1309d0c2b80fb3aace6943c32ca1c0557f81
Confidence
100/100
Revoked
Yes
Valid from
14/03/2023 04:35
Valid until
16/06/2024 05:35
Pattern type
yara
Published
20/12/2025 19:38
Modified
20/12/2025 23:34
Author / Source
AlienVault

Description

Hunting rule for HOOKSHOT

Pattern

rule M_Hunting_HOOKSHOT {   
    meta:   
    author = "autopatt"   
    description = "Hunting rule for HOOKSHOT"   
    strings:   
    $p00_0 = {8bb1[4]408873??85f675??488b81[4]488b88[4]4885c974??e8}   
    $p00_1 = {8bf3488bea85db0f84[4]4c8d2d[4]66904c8d4424??8bd6488bcd}   
    condition:   
    uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and   
    (   
    ($p00_0 in (470000..490000) and $p00_1 in (360000..380000))   
    )   
   }

Labels / Tags

Labels: lidshift lidshot lightshift phish plankwalk sideshow temp.hermit tightvnc viewer touchshift unc2970 wordpress

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • TEMP.Hermit
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·