Essential information

Value / Name

b21c87897a874f9ba9c62d48ec73a5da1fda38d1

Confidence

100/100

Revoked

Yes

Valid from

18/03/2023 19:10

Valid until

20/06/2024 20:10

Pattern type

yara

Published

20/12/2025 19:38

Modified

21/12/2025 00:08

Author / Source

AlienVault

Description

Pattern

rule apt_Reaper_extremevnc {   
       meta:   
           id = "c519de4f-1db5-4d4a-93b8-f1e7c0827af0"   
           version = "1.0"   
           malware = "ExtremeVNC"   
           intrusion_set = "Reaper"   
           description = "Detects ExtremeVNC implant (Reaper)"   
           source = "SEKOIA.IO"   
           creation_date = "2023-03-09"   
           classification = "TLP:WHITE"   
       strings:   
           $ = "--myboundary--"   
           $ = "COntent-Transfer-Encoding: 8bit"   
           $ = "CLIP_REQ"   
           $ = "SC_REQ"   
           $ = "BROWSER_REQ"   
           $ = "Unknown-PC"   
       condition:   
           uint16be(0) == 0x4d5a and   
           filesize < 1MB and    
           4 of them   
   }

Labels / Tags

Labels: ablygo apt backdoor chinotto chm espionage extremevnc mshta phishing powershell reaper

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.