216.73.217.172

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:35 · Modified 20/12/2025 22:03

Essential information

Value / Name
470dbc78097d6c70939d7bc97a5e9c0a79992f79
Confidence
100/100
Revoked
Yes
Valid from
03/10/2022 14:46
Valid until
06/01/2024 13:46
Pattern type
yara
Published
20/12/2025 19:35
Modified
20/12/2025 22:03
Author / Source
AlienVault

Description

Finds opcodes to set a port to bind on 2233, encompassing the setsockopt(), htons(), and bind() from 40973d to 409791 in fe34b7c071d96dac498b72a4a07cb246

Pattern

rule M_APT_VIRTUALPITA_1   
   {   
    meta:   
    author = "Mandiant"   
    md5 = "fe34b7c071d96dac498b72a4a07cb246"   
    description = "Finds opcodes to set a port to bind on 2233, encompassing the setsockopt(), htons(), and bind() from 40973d to 409791 in fe34b7c071d96dac498b72a4a07cb246"   
    strings:   
    $x = {8b ?? ?? 4? b8 04 00 00 00 [0 - 4] ba 02 00 00 00 be 01 00 00 00 [0 - 2] e8 ?? ?? ?? ?? 89 4? ?? 83 7? ?? 00 79 [0 - 50] ba 10 00 00 00 [0 - 10] e8}   
    condition:   
    uint32(0) == 0x464c457f and all of them     
   }

Labels / Tags

Labels: esxi vibs virtualpie virtualpita vmware vmware esxi

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.