216.73.216.170

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:40 · Modified 21/12/2025 00:50

Essential information

Value / Name
dd2289669f1488351eb455d3650b2e051a453a5f
Confidence
100/100
Revoked
Yes
Valid from
08/06/2023 00:41
Valid until
10/09/2024 00:41
Pattern type
yara
Published
20/12/2025 19:40
Modified
21/12/2025 00:50
Author / Source
AlienVault

Description

Detects indicators of compromise in MOVEit Transfer exploitation.

Pattern

rule MOVEit_Transfer_exploit_webshell_dll {   
     meta:   
       date = "2023-06-01"   
      
   			    description = "Detects indicators of compromise in MOVEit Transfer exploitation."   
      
   			    author = "Djordje Lukic - Binalyze DFIR Lab"   
      
   			    hash1 = "7d7349e51a9bdcdd8b5daeeefe6772b5"   
      
   			    hash2 = "2387be2afe2250c20d4e7a8c185be8d9"   
      
   			    reference1 = "https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/"   
      
   			    reference2 = "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/"   
      
   			    reference3 = "https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643"   
      
   			    verdict = "dangerous"   
      
   			    mitre = "T1505.003"   
      
   			    platform = "windows"   
      
   			    search_context = "filesystem"   
      
   			  strings:   
      
   			    $a1 = "human2.aspx" wide   
      
   			    $a2 = "Delete FROM users WHERE RealName='Health Check Service'" wide   
      
   			    $a3 = "X-siLock-Comment" wide   
      
   			  condition:   
      
   			    uint16(0) == 0x5A4D and filesize < 20KB   
      
   			    and all of them   
      
   			}

Labels / Tags

Labels: azure sql cl0p cobalt strike cryptomix moveit transfer powershell ransomware sdbot sql injection tinymet truebot vulnerability

Marking (TLP)

TLP:CLEAR