216.73.217.172

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:34 · Modified 20/12/2025 21:32

Essential information

Value / Name
dd1c6d6276efba12eff01052033aa3a3717f3af9
Confidence
100/100
Revoked
Yes
Valid from
06/07/2022 10:42
Valid until
09/10/2023 10:42
Pattern type
yara
Published
20/12/2025 19:34
Modified
20/12/2025 21:32
Author / Source
AlienVault

Description

Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)

Pattern

rule APT_Bitter_Maldoc_Verify { meta:    
   description = "Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)"    
   author = "SECUINFRA Falcon Team (@SI_FalconTeam)"    
   tlp = "WHITE"    
   reference = "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"    
   date = "2022-06-01"    
   hash0 = "0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450"    
   hash1 = "bd0d25194634b2c74188cfa3be6668590e564e6fe26a6fe3335f95cbc943ce1d"    
   hash2 = "3992d5a725126952f61b27d43bd4e03afa5fa4a694dca7cf8bbf555448795cd6" strings:    
   // This rule is meant to be used for verification of a Bitter Maldoc    
   // rather than a hunting rule since the oleObject it is matching is    
   // compressed in the doc zip $xor_string0 = "LoadLibraryA" xor    
   $xor_string1 = "urlmon.dll" xor    
   $xor_string2 = "Shell32.dll" xor    
   $xor_string3 = "ShellExecuteA" xor    
   $xor_string4 = "MoveFileA" xor    
   $xor_string5 = "CreateDirectoryA" xor    
   $xor_string6 = "C:\\Windows\\explorer" xor    
   $padding = {000001128341000001128341000001128342000001128342} condition:    
   3 of ($xor_string*)    
   and $padding    
   }

Labels / Tags

Labels: almond rat apt bitter cve20180798 muuydownloader zxxz

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.