216.73.217.80

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:34 · Modified 20/12/2025 21:15

Essential information

Value / Name
general_win_faked_dlls_export_popo
Confidence
100/100
Revoked
Yes
Valid from
03/06/2022 13:40
Valid until
06/09/2023 13:40
Pattern type
yara
Published
20/12/2025 19:34
Modified
20/12/2025 21:15
Author / Source
AlienVault

Description

general_win_faked_dlls_export_popo Detects DLL files with an export function named 'popo'

Pattern

import "pe"

rule general_win_faked_dlls_export_popo    
{
    meta:
        author = "paloaltonetworks"
        date = "2022-03-13"
        description = "Detects DLL files with an export function named 'popo'"
        hash0 = "e5e89d8db12c7dacddff5c2a76b1f3b52c955c2e86af8f0b3e36c8a5d954b5e8"    // fake uxtheme.dll
        hash1 = "95676c8eeaab93396597e05bb4df3ff8cc5780ad166e4ee54484387b97f381df"   // fake uxtheme.dll
        hash2 = "59d12f26cbc3e49e28be13f0306f5a9b1a9fd62909df706e58768d2f0ccca189"    // fake uxtheme.dll
        hash3 = "0dc8f17b053d9bfab45aed21340a1f85325f79e0925caf21b9eaf9fbdc34a47a"    // ClickRuntime-amd86.dll
 
    condition:
        (pe.characteristics & pe.DLL) and pe.is_dll() and
        filesize < 20MB and 
        (    
             pe.exports("popo") or 
             pe.exports("Popo")
        )
}

Labels / Tags

Labels: going eagle popping eagle psexec

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.