216.73.217.80

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:32 · Modified 20/12/2025 19:47

Essential information

Value / Name
92fe17c33fc9a81f5db9efbfeadfd7a6e4f704e8
Confidence
100/100
Revoked
Yes
Valid from
20/05/2022 10:48
Valid until
23/08/2023 10:48
Pattern type
yara
Published
20/12/2025 19:32
Modified
20/12/2025 19:47
Author / Source
AlienVault

Description

Detect loader used by TwistedPanda

Pattern

rule apt_CN_TwistedPanda_loader {   
      meta:   
         author = "Check Point Research"   
         description = "Detect loader used by TwistedPanda"   
         date = "2022-04-14"   
         hash = "5b558c5fcbed8544cb100bd3db3c04a70dca02eec6fedffd5e3dcecb0b04fba0"   
         hash = "efa754450f199caae204ca387976e197d95cdc7e83641444c1a5a91b58ba6198"   
            
      strings:   
            
         // 6A 40                                   push    40h ; '@'   
         // 68 00 30 00 00                          push    3000h   
         $seq1 = { 6A 40 68 00 30 00 00 }   
            
         // 6A 00                                   push    0               ; lpOverlapped   
         // 50                                      push    eax             ; lpNumberOfBytesRead   
         // 6A 14                                   push    14h             ; nNumberOfBytesToRead   
         // 8D ?? ?? ?? ?? ??                       lea     eax, [ebp+Buffer]   
         // 50                                      push    eax             ; lpBuffer   
           // 53                                      push    ebx             ; hFile   
         // FF 15 04 D0 4C 70                       call    ds:ReadFile   
         $seq2 = { 6A 00 50 6A 14 8D ?? ?? ?? ?? ?? 50 53 FF }   
      
         // 6A 00                                   push    0   
         // 6A 00                                   push    0   
         // 6A 03                                   push    3   
         // 6A 00                                   push    0   
         // 6A 03                                   push    3   
         // 68 00 00 00 80                          push    80000000h   
         $seq3 = { 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 80 }   
                  
         // Decryption sequence   
         $decryption = { 8B C? [2-3] F6 D? 1A C? [2-3] [2-3] 30 0? ?? 4? }   
       
      condition:   
         // MZ signature at offset 0 and ...   
         uint16(0) == 0x5A4D and   
              
         // ... PE signature at offset stored in MZ header at 0x3C   
         uint32(uint32(0x3C)) == 0x00004550 and    
         filesize < 3000KB and all of ($seq*) and $decryption   
   }

Labels / Tags

Labels: hodur plugx spinner twisted panda

Marking (TLP)

TLP:CLEAR