Essential information

Value / Name

a38f2c8185de8ab5005675b2bdba8dc65ad6e7db

Confidence

100/100

Revoked

Yes

Valid from

18/03/2023 19:10

Valid until

20/06/2024 20:10

Pattern type

yara

Published

20/12/2025 19:38

Modified

21/12/2025 00:08

Author / Source

AlienVault

Description

Pattern

rule apt_Reaper_Malicious_HTA_file {   
       meta:   
           id = "22a98c27-8ff4-4760-b505-f8eacf4dabda"   
           version = "1.0"   
           intrusion_set = "Reaper"   
           description = "Detects malicious Reaper HTA files"   
           source = "SEKOIA.IO"   
           creation_date = "2023-03-06"   
           classification = "TLP:WHITE"   
       strings:   
           $s1 = "<HTML>" nocase   
           $s2 = " UwB0AGEAcgB0AC0AUwBs" ascii   
           $s3 = "= new ActiveXObject(" ascii   
           $s4 = "\", \"\", \"open\", 0);" ascii   
           $s5 = ".moveTo(" ascii   
           $s6 = "self.close();"   
       condition:   
           $s1 at 0 and all of them and filesize < 1MB   
   }

Labels / Tags

Labels: ablygo apt backdoor chinotto chm espionage extremevnc mshta phishing powershell reaper

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.