Essential information

Value / Name

0225487af67c1c3521c221de757f9ceeaf31b11f

Confidence

100/100

Revoked

Yes

Valid from

18/03/2023 19:10

Valid until

20/06/2024 20:10

Pattern type

yara

Published

20/12/2025 19:38

Modified

21/12/2025 00:08

Author / Source

AlienVault

Description

Pattern

rule apt_Reaper_Chinotto_PowerShell_Variant {   
       meta:   
           id = "fa42b225-58fe-4e00-b84b-df37491d8fdd"   
           version = "1.0"   
           malware = "Chinotto"   
           intrusion_set = "Reaper"   
           description = "Detects Reaper Chinotto Powershell Variant"   
           source = "SEKOIA.IO"   
           creation_date = "2023-03-06"   
           classification = "TLP:WHITE"   
       strings:   
       	$ = "$env:COMPUTERNAME + '-' + $env:USERNAME;" ascii wide   
           $ = "while($true -eq $true)" ascii wide   
           $ = "Start-Sleep -Seconds" ascii wide   
           $ = " -ne 'null' -and $" ascii wide   
           $ = "= 'R=' + [System.Convert]::" ascii wide   
           $ = "[string]$([char]0x0D) + [string]$([char]0x0A);" ascii wide   
       condition:   
           4 of them   
   }

Labels / Tags

Labels: ablygo apt backdoor chinotto chm espionage extremevnc mshta phishing powershell reaper

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.