216.73.216.215

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:34 · Modified 20/12/2025 21:32

Essential information

Value / Name
3b404215bfcdecab3497feddcb820b7aabf587c5
Confidence
100/100
Revoked
Yes
Valid from
06/07/2022 10:42
Valid until
09/10/2023 10:42
Pattern type
yara
Published
20/12/2025 19:34
Modified
20/12/2025 21:32
Author / Source
AlienVault

Description

Detects Bitter (T-APT-17) Almond RAT (.NET)

Pattern

import "dotnet"
rule APT_Bitter_Almond_RAT { meta:    
   description = "Detects Bitter (T-APT-17) Almond RAT (.NET)"    
   author = "SECUINFRA Falcon Team (@SI_FalconTeam)"    
   tlp = "WHITE" reference = " https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"    
   date = "2022-06-01" hash = "55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396" strings:    
   $function0 = "GetMacid" ascii    
   $function1 = "StartCommWithServer" ascii    
   $function2 = "sendingSysInfo" ascii    
   $dbg0 = "*|END|*" wide    
   $dbg1 = "FILE>" wide    
   $dbg2 = "[Command Executed Successfully]" wide condition:    
   uint16(0) == 0x5a4d    
   and dotnet.version == "v4.0.30319"    
   and filesize > 12KB // Size on Disk/1.5    
   and filesize < 68KB // Size of Image*1.5    
   and any of ($function*)    
   and any of ($dbg*)    
   }

Labels / Tags

Labels: almond rat apt bitter cve20180798 muuydownloader zxxz

Marking (TLP)

TLP:CLEAR