Indicator (IOC)
Essential information
- Value / Name
M_APT_Backdoor_NICECURL_1- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 03/05/2024 12:24
- Valid until
- 06/08/2025 12:24
- Pattern type
- yara
- Published
- 20/12/2025 19:43
- Modified
- 21/12/2025 03:58
- Author / Source
- AlienVault
Description
M_APT_Backdoor_NICECURL_1
Pattern
rule M_APT_Backdoor_NICECURL_1 {
meta:
author = "Mandiant"
md5 = "c23663ebdfbc340457201dbec7469386"
date_created = "2024-01-18"
date_modified = "2024-01-18"
rev = "1"
strings:
$ = "a = \"llehS.tpircsW\"" ascii wide
$ = "b = StrReverse(a)" ascii wide
$ = "Set objShell = wscript.CreateObject(b)"
$ = "WHFilePath = Temp & \"/\" & ProgName" ascii wide
$ = "Do While not FileExists(WHFilePath)" ascii wide
$ = "cmd /C start /MIN curl --ssl-no-revoke -s -d \"\"\"" ascii wide
$ = "nicecmdPath = Temp & \"/\" & ProgName" ascii wide
$ = "Function RunCom(Com, Url, nicecmdPath)" ascii wide
$ = "ComDecode = Base64Decode(Com)" ascii wide
$ = "InStr(ComDecode, \"kill\")" ascii wide
$ = "InStr(ComDecode, \"SetNewConfig\")" ascii wide
$ = "InStr(ComDecode, \"Module\")" ascii wide
$ = "Sub DeleteFile(filespec)" ascii wide
$ = "Sub CopyFile(Src, Dst)" ascii wide
$ = "Function SendData(sUrl, sRequest, nicecmdPath)" ascii wide
$ = "Function WriteToFile(FilePath, data)" ascii wide
$ = "Function GetSystemCaption()" ascii wide
$ = "Function GetPlainSess()" ascii wide
condition:
4 of them
}
Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.