Indicator (IOC)
Essential information
- Value / Name
fc986147bf530f1962b36a74420f6be8d7fecbfb- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 18/03/2023 19:10
- Valid until
- 20/06/2024 20:10
- Pattern type
- yara
- Published
- 20/12/2025 19:38
- Modified
- 21/12/2025 00:08
- Author / Source
- AlienVault
Description
Detects obfuscation or string of Chinotto
Pattern
rule APT_Reaper_Chinotto {
meta:
id = "eff8fd11-dc7a-4011-b083-181d0cca8790"
version = "1.0"
malware = "Chinotto"
intrusion_set = "Reaper"
description = "Detects obfuscation or string of Chinotto"
source = "SEKOIA.IO"
creation_date = "2023-02-27"
classification = "TLP:WHITE"
strings:
$chunk_1 = {
C7 85 ?? ?? ?? ?? ?? ?? ?? 00
C7 85 ?? ?? ?? ?? ?? ?? ?? 00
33 C0
EB 03
8D 49 00
8B 8C 85 ?? ?? ?? ??
3B 8C 85 ?? ?? ?? ??
}
$chunk_2 = {
C7 84 24 ?? ?? ?? ?? ?? ?? 0? 00
C7 84 24 ?? ?? ?? ?? ?? ?? 0? 00
33 C0
EB 0D
8D A4 24 00 00 00 00
8D 9B 00 00 00 00
8B 8C 84 ?? ?? ?? ??
3B 8C 84 ?? ?? ?? ??
}
$movs_zip_dir_start = { C7 45 ?? 5A 69
70 20 C7 45 ?? 44 69 72 20 C7 45
?? 53 74 61 72 C7 45 ?? 74 20
2D 20
}
condition:
uint16be(0) == 0x4d5a and
filesize < 1MB and
($chunk_1 or $chunk_2 or $movs_zip_dir_start)
}Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.