Indicator (IOC)
Essential information
- Value / Name
4c9f59bafba49c8dda245fb992418c66a9427691- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 03/06/2022 13:40
- Valid until
- 06/09/2023 13:40
- Pattern type
- yara
- Published
- 20/12/2025 19:34
- Modified
- 20/12/2025 21:15
- Author / Source
- AlienVault
Description
potentially unwanted GO application with proxy communication capabilities
Pattern
rule general_win_golang_socks
{
meta:
author = "paloaltonetworks"
date = "2022-03-13"
description = "potentially unwanted GO application with proxy communication capabilities"
strings:
$go_name_1 = "main.go" nocase ascii // default go name for the "func main(){...}" in "package main"
$go_name_2 = "eagle" nocase ascii
$go_name_3 = "popo" nocase ascii
$go_name_4 = "-Client-Dll/" nocase ascii
$go_pkg_1 = "github.com/armon/go-socks5" nocase wide ascii
$go_pkg_2 = "github.com/hashicorp/yamux" nocase wide ascii
$go_pkg_3 = "github.com/fatedier/frp/vendor" wide ascii
$go_pkg_4 = "github.com/rofl0r/rocksocks5" wide ascii
condition:
uint16(0) == 0x5a4d and
filesize < 7MB and
(
1 of ($go_name_*) and
2 of ($go_pkg_*)
)
}
Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.