216.73.217.172

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:34 · Modified 20/12/2025 21:32

Essential information

Value / Name
051e0f8d4471172309e6dd11ff6642bd6f903e51
Confidence
100/100
Revoked
Yes
Valid from
06/07/2022 10:42
Valid until
09/10/2023 10:42
Pattern type
yara
Published
20/12/2025 19:34
Modified
20/12/2025 21:32
Author / Source
AlienVault

Description

Detects Bitter (T-APT-17) PDB Paths

Pattern

rule APT_Bitter_PDB_Paths { meta:    
   description = "Detects Bitter (T-APT-17) PDB Paths"    
   author = "SECUINFRA Falcon Team (@SI_FalconTeam)"    
   tlp = "WHITE"    
   reference = "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"    
   date = "2022-06-22"    
   hash0 = "55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396" strings:    
   // Almond RAT    
   $pdbPath0 = "C:\\Users\\Window 10 C\\Desktop\\COMPLETED WORK\\" ascii    
   $pdbPath1 = "stdrcl\\stdrcl\\obj\\Release\\stdrcl.pdb" // found by Qi Anxin Threat Intellingence Center    
   // reference: https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg    
   $pdbPath2 = "g:\\Projects\\cn_stinker_34318\\"    
   $pdbPath3 = "renewedstink\\renewedstink\\obj\\Release\\stimulies.pdb" condition:    
   uint16(0) == 0x5a4d    
   and any of ($pdbPath*)    
   }

Labels / Tags

Labels: almond rat apt bitter cve20180798 muuydownloader zxxz

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.