216.73.216.233

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 22:37 · Modified 20/12/2025 22:37

Essential information

Value / Name
dfcd1c5666d4219d17f0348ec02c19483bb8ef9f
Confidence
100/100
Revoked
Yes
Valid from
28/11/2022 18:09
Valid until
02/03/2024 18:09
Pattern type
yara
Published
20/12/2025 22:37
Modified
20/12/2025 22:37
Author / Source
AlienVault

Description

No description.

Pattern

rule M_Hunting_Dropper_DARKDEW_1 {   
    meta:   
    author = "Mandiant"   
    strings:   
    $s1 = "do inroot" ascii   
    $s2 = "disk_watch" ascii   
    $s5 = "G:\\project\\APT\\" ascii   
    $s3 = "c:\\programdata\\udisk" ascii   
    $s4 = "new\\shellcode\\Release\\shellcode.pdb" ascii   
    condition:   
    filesize < 500KB and   
    (2 of ($s*))   
   }

Labels / Tags

Labels: backdoor bluehaze darkdew mistcloak ncat unc4191 usb network

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • UNC4191
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·