216.73.216.170

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:35 · Modified 20/12/2025 22:03

Essential information

Value / Name
b508614268a012be2135099962009fdfe533315e
Confidence
100/100
Revoked
Yes
Valid from
05/10/2022 20:25
Valid until
08/01/2024 19:25
Pattern type
yara
Published
20/12/2025 19:35
Modified
20/12/2025 22:03
Author / Source
AlienVault

Description

No description.

Pattern

rule CISA_10365227_03 : ClientUploader   
      
   				{   
      
   				meta:   
      
   				 Author = "CISA Code & Media Analysis"   
      
   				 Incident = "10365227"   
      
   				 Date = "2021-12-23"   
      
   				 Last_Modified = "20211224_1200"   
      
   				 Actor = "n/a"   
      
   				 Category = "n/a"   
      
   				 Family = "n/a"   
      
   				 Description = "Detects ClientUploader_onedrv"   
      
   				 MD5_1 = "806998079c80f53afae3b0366bac1479"   
      
   				 SHA256_1 = "84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb"   
      
   				strings:   
      
   				 $s1 = "Decoder2"   
      
   				 $s2 = "ClientUploader"   
      
   				 $s3 = "AppDomain"   
      
   				 $s4 = { 5F 49 73 52 65 70 47 ?? 44 65 63 6F 64 65 72 73 }   
      
   				 $s5 = "LzmaDecoder"   
      
   				 $s6 = "$ee1b3f3b-b13c-432e-a461-e52d273896a7"   
      
   				condition:   
      
   				 uint16(0) == 0x5a4d and all of them   
      
   				}

Labels / Tags

Labels: .net executable apt covalentstealer credential harvesting exfiltration ifileworker information stealer obfuscated powershell trojan

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.