Indicator (IOC)
Essential information
- Value / Name
loader_fakebat_initial_powershell_may24- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 02/07/2024 10:53
- Valid until
- 05/10/2025 10:53
- Pattern type
- yara
- Published
- 20/12/2025 19:45
- Modified
- 21/12/2025 05:42
- Author / Source
- AlienVault
Description
loader_fakebat_initial_powershell_may24
Finds FakeBat initial PowerShell script downloading and executing the next-stage payload.
Pattern
rule loader_fakebat_initial_powershell_may24 {
meta:
malware = "FakeBat"
description = "Finds FakeBat initial PowerShell script downloading and executing the next-stage payload."
source = "Sekoia.io"
classification = "TLP:WHITE"
strings:
$str01 = "='http" wide
$str02 = "=(iwr -Uri $" wide
$str03 = " -UserAgent $" wide
$str04 = " -UseBasicParsing).Content; iex $" wide
condition:
3 of ($str*) and
filesize < 1KB
}
Labels / Tags
Marking (TLP)
TLP:CLEAR