216.73.216.170

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:36 · Modified 20/12/2025 22:26

Essential information

Value / Name
bf4a7a1cb171cf490b44f66f0154021f5e9d88d0
Confidence
100/100
Revoked
Yes
Valid from
21/10/2022 08:32
Valid until
24/01/2024 07:32
Pattern type
yara
Published
20/12/2025 19:36
Modified
20/12/2025 22:26
Author / Source
AlienVault

Description

No description.

Pattern

rule URSNIF_LDR4 {   
     strings:   
    $str1 = "LOADER.dll" fullword   
    $str2 = "DllRegisterServer" fullword   
    $str3 = ".bss" fullword   
     $x64_code1 = { 3D 2E 62 73 73 74 0A 48 83 C7 28 }   
    $x64_code2 = { 8B 17 48 83 C7 04 8B CA 8b C2 23 CB 0B C3 F7 D1 23 C8 41 2B CA 44 8B D2 41 89 08 41 8B CB 49 83 C0 04 83 E1 07 FF C1 41 D3 C2 41 83 EB 04 79 }   
    $x64_code3 = { 41 0F B6 01 49 FF C1 8B C8 8B D0 83 E1 03 C1 E1 03 D3 E2 44 03 C2 41 83 C2 FF 75 }   
    $x64_code4 = { 45 8D 45 08 48 8D 8C 24 [4] BA 30 00 FE 7F E8 }   
    $x64_code5 = { 48 8D 8C 24 [4] BA 30 00 FE 7F 41 B8 08 00 00 00 E8 }   
     $x86_code1 = { 81 F9 2E 62 73 73 74 09 83 C6 28 }   
    $x86_code2 = { 8B 06 8B D0 23 55 0C 8B D8 0B 5D 0C F7 D2 23 D3 2B D1 8A 4D 08 80 E1 07 83 C6 04 89 17 83 C7 04 FE C1 D3 C0 83 6D 08 04 8B C8 79 }   
    $x86_code3 = { 8A 0E 0F B6 D1 8B CA 83 E1 03 C1 E1 03 D3 E2 46 03 C2 4F 75 }   
    $x86_code4 = { 6A 08 8D 45 F8 68 30 00 FE 7F 50 E8 }   
     condition:   
    5 of them   
    }

Labels / Tags

Labels: dll side-loading gozi malicious word document phishing ransomware rm3 variant sandbox evasion steganography ursnif

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.