216.73.217.80

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:34 · Modified 20/12/2025 21:15

Essential information

Value / Name
4c9f59bafba49c8dda245fb992418c66a9427691
Confidence
100/100
Revoked
Yes
Valid from
03/06/2022 13:40
Valid until
06/09/2023 13:40
Pattern type
yara
Published
20/12/2025 19:34
Modified
20/12/2025 21:15
Author / Source
AlienVault

Description

potentially unwanted GO application with proxy communication capabilities

Pattern

rule general_win_golang_socks   
   {   
       meta:   
           author = "paloaltonetworks"   
           date = "2022-03-13"   
           description = "potentially unwanted GO application with proxy communication capabilities"   
      
       strings:   
           $go_name_1 = "main.go" nocase ascii // default go name for the "func main(){...}" in "package main"   
           $go_name_2 = "eagle" nocase ascii   
           $go_name_3 = "popo" nocase ascii   
           $go_name_4 = "-Client-Dll/" nocase ascii   
      
           $go_pkg_1 = "github.com/armon/go-socks5" nocase wide ascii   
           $go_pkg_2 = "github.com/hashicorp/yamux" nocase wide ascii   
           $go_pkg_3 = "github.com/fatedier/frp/vendor" wide ascii     
           $go_pkg_4 = "github.com/rofl0r/rocksocks5" wide ascii     
      
       condition:   
           uint16(0) == 0x5a4d and    
           filesize < 7MB and   
           (   
               1 of ($go_name_*) and    
               2 of ($go_pkg_*)   
           )   
   }

Labels / Tags

Labels: going eagle popping eagle psexec

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.