216.73.217.98

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:35 · Modified 20/12/2025 22:03

Essential information

Value / Name
d589b1b33ef59d48bff5afb11867b903013a1bb3
Confidence
100/100
Revoked
Yes
Valid from
05/10/2022 20:25
Valid until
08/01/2024 19:25
Pattern type
yara
Published
20/12/2025 19:35
Modified
20/12/2025 22:03
Author / Source
AlienVault

Description

No description.

Pattern

rule CISA_10365227_02 : ClientUploader   
      
   				{   
      
   				meta:   
      
   				 Author = "CISA Code & Media Analysis"   
      
   				 Incident = "10365227"   
      
   				 Date = "2021-12-23"   
      
   				 Last_Modified = "20211224_1200"   
      
   				 Actor = "n/a"   
      
   				 Category = "n/a"   
      
   				 Family = "n/a"   
      
   				 Description = "Detects ClientUploader_mqsvn"   
      
   				 MD5_1 = "63cf36ac25788e13b41b1eb6bfc0c6b6"   
      
   				 SHA256_1 = "3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350"   
      
   				strings:   
      
   				 $s1 = "UploadSmallFileWithStopWatch"   
      
   				 $s2 = "UploadPartWithStopwatch"   
      
   				 $s3 = "AppVClient"   
      
   				 $s4 = "ClientUploader"   
      
   				 $s5 = { 46 69 6C 65 43 6F 6E 74 61 69 6E 65 72 2E 46 69 6C 65 41 72 63 68 69 76 65 }   
      
   				 $s6 = { 4F 6E 65 44 72 69 76 65 43 6C 69 65 6E 74 2E 4F 6E 65 44 72 69 76 65 }   
      
   				condition:   
      
   				 uint16(0) == 0x5a4d and all of them   
      
   				}

Labels / Tags

Labels: .net executable apt covalentstealer credential harvesting exfiltration ifileworker information stealer obfuscated powershell trojan

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.