216.73.217.22

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 23:28 · Modified 20/12/2025 23:28

Essential information

Value / Name
d7e7b3881891c00e4785249a07d830cc7c32ace5
Confidence
100/100
Revoked
Yes
Valid from
31/01/2023 18:28
Valid until
05/05/2024 19:28
Pattern type
yara
Published
20/12/2025 23:28
Modified
20/12/2025 23:28
Author / Source
AlienVault

Description

Hunting rule looking for suspicious version information metadata observed in FONELAUNCH samples

Pattern

import "pe"
rule M_Hunting_Win_FONELAUNCH   
   {   
    meta:   
    author = "Mandiant"   
    description = "Hunting rule looking for suspicious version information metadata observed in FONELAUNCH samples"   
    md5 = "35238d2a4626e7a1b89b13042f9390e9"   
    strings:   
    $m1 = { 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 64 00 6C 00 6C 00 }   
    $m2 = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 64 00 6C 00 6C 00 }   
    condition:   
    filesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and (pe.version_info["OriginalFilename"] == "powershell.dll" or pe.version_info["InternalName"] ==   
    "powershell.dll" or any of ($m*)) }

Labels / Tags

Labels: cobaltstrike fonelaunch gootkit gootloader malicious js obfuscation powershell registry manipulation snowcone unc2565

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • UNC2565
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·