216.73.217.98

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:42 · Modified 21/12/2025 03:06

Essential information

Value / Name
214f6212341ad8af8e060a6eeae3a7c1ddf6487d
Confidence
100/100
Revoked
Yes
Valid from
02/02/2024 12:49
Valid until
07/05/2025 13:49
Pattern type
yara
Published
20/12/2025 19:42
Modified
21/12/2025 03:06
Author / Source
AlienVault

Description

Detect OCEANMAP from CERT-UA#8399

Pattern

rule masepie_campaign_oceanmap   
   {   
       meta:   
           description = "Detect OCEANMAP from CERT-UA#8399"   
           references = "TRR240101;https://cert.gov.ua/article/6276894"   
           hash = "24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04"   
           date = "2024-01-24"   
           modified = "2024-01-31"   
           author = "HarfangLab"   
           context = "file"   
       strings:   
           $dotNet = ".NETFramework,Version" ascii fullword   
           $a1 = "$ SELECT INBOX.Drafts" wide fullword   
           $a2 = "$ SELECT Drafts" wide fullword   
           $a3 = "$ UID SEARCH subject \"" wide fullword   
           $a4 = "$ APPEND INBOX {" wide fullword   
           $a5 = "+FLAGS (\\Deleted)" wide fullword   
           $a6 = "$ EXPUNGE" wide fullword   
           $a7 = "BODY.PEEK[text]" wide fullword   
           $t1 = "change_time" ascii fullword   
           $t2 = "ReplaceBytes" ascii fullword   
           $t3 = "fcreds" ascii fullword   
           $t4 = "screds" ascii fullword   
           $t5 = "r_creds" ascii fullword   
           $t6 = "comp_id" ascii fullword   
           $t7 = "changesecond" wide fullword   
           $t8 = "taskkill /F /PID" wide fullword   
           $t9 = "cmd.exe" wide fullword   
       condition:    
           filesize > 8KB and filesize < 100KB   
           and (uint16be(0) == 0x4D5A)   
           and $dotNet   
           and (3 of ($a*))   
           and (2 of ($t*))   
   }

Labels / Tags

Labels: apt28 fancy bear sofacy

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.