216.73.216.133

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:45 · Modified 21/12/2025 05:42

Essential information

Value / Name
loader_fakebat_initial_powershell_may24
Confidence
100/100
Revoked
Yes
Valid from
02/07/2024 10:53
Valid until
05/10/2025 10:53
Pattern type
yara
Published
20/12/2025 19:45
Modified
21/12/2025 05:42
Author / Source
AlienVault

Description

loader_fakebat_initial_powershell_may24 Finds FakeBat initial PowerShell script downloading and executing the next-stage payload.

Pattern

rule loader_fakebat_initial_powershell_may24 {
    meta:
   	 malware = "FakeBat"
   	 description = "Finds FakeBat initial PowerShell script downloading and executing the next-stage payload."
   	 source = "Sekoia.io"
   	 classification = "TLP:WHITE"

    strings:
   	 $str01 = "='http" wide
   	 $str02 = "=(iwr -Uri $" wide
   	 $str03 = " -UserAgent $" wide
   	 $str04 = " -UseBasicParsing).Content; iex $" wide

    condition:
    	3 of ($str*) and
    	filesize < 1KB
}

Labels / Tags

Labels: drive-by download eugenfest eugenloader fakebat loader malvertising payk_34 paykloader social engineering

Marking (TLP)

TLP:CLEAR