216.73.216.170

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:40 · Modified 21/12/2025 00:50

Essential information

Value / Name
b61886815134c10105f35b6a45d77150f5f90a7f
Confidence
100/100
Revoked
Yes
Valid from
08/06/2023 00:41
Valid until
10/09/2024 00:41
Pattern type
yara
Published
20/12/2025 19:40
Modified
21/12/2025 00:50
Author / Source
AlienVault

Description

Detects indicators of compromise in MOVEit Transfer exploitation.

Pattern

rule MOVEit_Transfer_exploit_webshell_aspx {   
     meta:   
       date = "2023-06-01"   
      
   			    description = "Detects indicators of compromise in MOVEit Transfer exploitation."   
      
   			    author = "Ahmet Payaslioglu - Binalyze DFIR Lab"   
      
   			    hash1 = "44d8e68c7c4e04ed3adacb5a88450552"   
      
   			    hash2 = "a85299f78ab5dd05e7f0f11ecea165ea"   
      
   			    reference1 = "https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/"   
      
   			    reference2 = "https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/"   
      
   			    reference3 = "https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643"   
      
   			    verdict = "dangerous"   
      
   			    mitre = "T1505.003"   
      
   			    platform = "windows"   
      
   			    search_context = "filesystem"   
      
   			  strings:   
      
   			    $a1 = "MOVEit.DMZ"   
      
   			    $a2 = "Request.Headers[\"X-siLock-Comment\"]"   
      
   			    $a3 = "Delete FROM users WHERE RealName='Health Check Service'"   
      
   			    $a4 = "set[\"Username\"]"   
      
   			    $a5 = "INSERT INTO users (Username, LoginName, InstID, Permission, RealName"   
      
   			    $a6 = "Encryption.OpenFileForDecryption(dataFilePath, siGlobs.FileSystemFactory.Create()"   
      
   			    $a7 = "Response.StatusCode = 404;"   
      
   			  condition:   
      
   			    filesize < 10KB   
      
   			    and all of them   
      
   			}

Labels / Tags

Labels: azure sql cl0p cobalt strike cryptomix moveit transfer powershell ransomware sdbot sql injection tinymet truebot vulnerability

Marking (TLP)

TLP:CLEAR