216.73.216.226

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:38 · Modified 20/12/2025 23:34

Essential information

Value / Name
9a15893c3bbdc60d3d0c2362ee92dd0f8df7c127
Confidence
100/100
Revoked
Yes
Valid from
14/03/2023 04:35
Valid until
16/06/2024 05:35
Pattern type
yara
Published
20/12/2025 19:38
Modified
20/12/2025 23:34
Author / Source
AlienVault

Description

Hunting rule for LIGHTSHIFT

Pattern

rule M_Code_LIGHTSHIFT   
   {   
    meta:   
    author = "Mandiant"   
    description = "Hunting rule for LIGHTSHIFT"   
    sha256 = "ce501fd5c96223fb17d3fed0da310ea121ad83c463849059418639d211933aa4"   
    strings:   
    $p00_0 = {488b7c24??448d40??48037c24??488bcfff15[4]817c24[5]74??488b4b??33d2}   
    $p00_1 = {498d7c01??8b47??85c075??496345??85c07e??8b0f41b9}   
    condition:   
    uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and   
    (   
    ($p00_0 in (750..11000) and $p00_1 in (0..8200))   
    )   
   }

Labels / Tags

Labels: lidshift lidshot lightshift phish plankwalk sideshow temp.hermit tightvnc viewer touchshift unc2970 wordpress

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • TEMP.Hermit
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·