216.73.216.170

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:35 · Modified 20/12/2025 22:13

Essential information

Value / Name
e9d0227e256d71e622f2d0f1eef56fa671614d7d
Confidence
100/100
Revoked
Yes
Valid from
26/09/2022 14:48
Valid until
30/12/2023 13:48
Pattern type
yara
Published
20/12/2025 19:35
Modified
20/12/2025 22:13
Author / Source
AlienVault

Description

Files - file documents.lnk

Pattern

rule case_14373_bumblebee_documents_lnk {   
      meta:   
         description = "Files - file documents.lnk"   
         author = "The DFIR Report"   
         reference = "https://thedfirreport.com/"   
         date = "2022-09-26"   
         hash1 = "cadd3f05b496ef137566c90c8fee3905ff13e8bda086b2f0d3cf7512092b541c"   
      strings:   
         $x1 = "tamirlan.dll,EdHVntqdWt\"%systemroot%\\system32\\imageres.dll" fullword wide   
         $s2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii   
         $s3 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide   
         $s4 = "4System32" fullword wide   
         $s5 = "user-pc" fullword ascii   
         $s6 = "}Windows" fullword wide   
      condition:   
         uint16(0) == 0x004c and filesize < 4KB and   
         1 of ($x*) and all of them   
   }

Labels / Tags

Labels: anydesk bumblebee cobalt strike lsass metasploit meterpreter wmi

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.