216.73.217.64

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:38 · Modified 20/12/2025 23:42

Essential information

Value / Name
9b60c0034202f14752a552594be9c9c339c1e62c
Confidence
100/100
Revoked
Yes
Valid from
28/03/2023 21:08
Valid until
30/06/2024 21:08
Pattern type
yara
Published
20/12/2025 19:38
Modified
20/12/2025 23:42
Author / Source
AlienVault

Description

No description.

Pattern

rule koi_loader {   
       meta:   
           author = "@luc4m"   
           date = "2023-03-26"   
           link = "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1"   
           hash_md5 = "9725ec075e92e25ea5b6e99c35c7aa74"   
           tlp = "WHITE"   
       strings:   
    $tm_0 = /debug[0-9]{1,3}\.ps1/i wide   
    $tm_1 = "First stage size: {0}" wide   
    $tm_2 = "Second stage size: {0}" wide   
    $tm_3 = "Telegram Desktop\\tdata" wide   
    $tm_4 = "Executed " wide   
    $tm_5 = " or downloading " wide   
    $tm_6 = "LDR" wide   
    $curve_0 = "key must be 32 bytes long (but was {0} bytes long)" wide   
    $curve_1 = "rawKey must be 32 bytes long (but was {0} bytes long)" wide   
    $curve_2 = "rawKey" wide    
    $curve_3 = "key" wide    
       condition:   
            (5 of ($tm_*)) and (1 of ($curve_*))   
   }

Labels / Tags

Labels: binary curve25519 loaders maas nullmixer powershell seo poisoning trojan

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.