216.73.216.215

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:42 · Modified 21/12/2025 03:24

Essential information

Value / Name
9809f2bbfff6559775bbe3f2656155515e3cd137
Confidence
100/100
Revoked
Yes
Valid from
25/03/2024 13:29
Valid until
28/06/2025 14:29
Pattern type
yara
Published
20/12/2025 19:42
Modified
21/12/2025 03:24
Author / Source
AlienVault

Description

Detects payload invocation stub in WINELOADER

Pattern

rule M_APT_Downloader_WINELOADER_2   
   {   
   meta:   
   author = "Mandiant"   
   disclaimer = "This rule is meant for hunting and is not tested to run in a production environment."   
   description = "Detects payload invocation stub in WINELOADER"   
    strings:   
   // 48 8D 0D ?? ?? 00 00 lea rcx, module_start (Pointer to encrypted resource)   
   // 48 C7 C2 ?? ?? 00 00 mov rdx, ???? (size of encrypted source)   
   // E8 [4] call decryption   
   // 48 8D 05 [4] lea rcx, ??   
   // 48 8D 0D [4] lea rax, module_start (decrypted resource)   
   // 48 89 05 [4] mov ptr_mod, rax   
   //   
   $ = {48 8D 0D ?? ?? 00 00 48 C7 C2 ?? ?? 00 00 E8 [4] 48 8d 0D [4] 48 8D 05 [4] 48 89 05 }   
    condition:   
   all of them   
   }

Labels / Tags

Labels: apt29 beatdrop burntbatter daveshell jsobfuscated rootsaw ukraine wineloader

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.