216.73.216.36

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:38 · Modified 20/12/2025 23:34

Essential information

Value / Name
318ebae17599da88f559ecd2d16add02e4f608d9
Confidence
100/100
Revoked
Yes
Valid from
14/03/2023 04:35
Valid until
16/06/2024 05:35
Pattern type
yara
Published
20/12/2025 19:38
Modified
20/12/2025 23:34
Author / Source
AlienVault

Description

Hunting rule for TOUCHSHIFT

Pattern

rule M_DropperMemonly_TOUCHSHIFT_1 {   
    meta:   
    author = "Mandiant"   
    description = "Hunting rule for TOUCHSHIFT"   
    strings:   
    $p00_0 = {0943??eb??ff43??b0??eb??e8[4]c700[4]e8[4]32c0}   
    $p00_1 = {4c6305[4]ba[4]4c8b0d[4]488b0d[4]ff15[4]4c6305[4]ba[4]4c8b0d[4]488b0d}   
    condition:   
    uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and   
    (   
    ($p00_0 in (70000..90000) and $p00_1 in (0..64000))   
    )   
   }

Labels / Tags

Labels: lidshift lidshot lightshift phish plankwalk sideshow temp.hermit tightvnc viewer touchshift unc2970 wordpress

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • TEMP.Hermit
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·