-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathInvicta Stealer IoCs and Yara Rule
45 lines (41 loc) · 2.13 KB
/
Invicta Stealer IoCs and Yara Rule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
## Indicator of Compromises ##
SHA256
1e8f9b5a0d8fe4e7d64cb7adf0f94c1756ca563d98313d561838c940babe09ec
42be6d419ccc87963649eaee51f6a840f3a32361de95f763b23b8d6f89f94a06
f3c9263d847978d587cb7bb84076c2084acf463d25b8ac33be4bd66e84c866da
5241a8585511758e1c5562b4f96e19975640cc69220ab47352bf2eda93f696a8
930537b9cd5d8a3b9ba51fb48ace351a09a1418677fd877a62e731675251d515
8311dec0ac892228deba79ae211978058e259754deaadd07ad78a6d515d1fda8
3376a8ea0691cdf35f9dd2c01fc8e8c8e0daa62982f998addef58f1778199ba6
66cfe1c6b16b36dd47cf69f97d89bf5d5c7c938403403c9e2160b60abf0e96f7
46058f2495f802c75aabfd722b2ac17c30d0438688e36bd1874553e7840fd5fa
57ff3a68245e9ac7b2d4a82e379baa66a41a4d2545c30805f5b3379b6b79ccf4
b0d2642b681b06c2f3a2d79129235a647350a1880a025e9901db8bad6f2aa27e
a234d0b28f6f65110a314ecb6f130b63eb614af34ac5efe3dba3b5566c37b119
90be8b5224689a5a86fcf677f15dce17bf4db41b427e953684fcf747159b7678
16df35333ab26ab065656fb81da496b0586dca24756a179c149a8a2f0ba29938
a149eac0c3f9fbb788e076e50f1abc395a78bce86f5583e56fff200da92b36de
c84c6666e2d7f6e5514ee78ef8ad12dde3655200826f968d6f0a4b4db869ad3e
cd2c1342939aaed546ba27008928893de716ebe59bd0ebac65bfcd130c398f8c
e2239f943810596053f78b066ebb478b3d11b9c49cec811de855e30950b6f96a
541e41677e00034ce0475645e5dc1a9dc2dcc4bccff7bc11ff50e02c46b9ab30
377b125323cb3d437c482444138ba5d98376afe68108f6548acdd499f675d716
f391af58749a76ea4929e2733e95796bc110f52c29e57b9368da390b5668d512
9b94eb1c5f251dd6624841f9f26add45848ba4473979d1891fe0f0ec3237ffc7
C2 URLs
hxxps//discord[.]com/api/webhooks/1108725112653488170/cJalL5wzPojs3BRLAlJIze8AgZcW58G5YmhdZ6K9ZLdUp-PrKExx4ZtJm49sVtpZm_WF
hxxps//discord[.]com/api/webhooks/1121475267177742346/DMqDQGU0e5mwvpfxofVX2Kc4KhLhMCX8NQCuqLNOK_va4e6Ce7A4ScWpIonQ3f1CDM5E
hxxps//discord[.]com/api/webhooks/1101252563917099119/zbAUglNtcJuK1meClnmWoRzocWBnQrmkEQ9zs0pHrzGYwbTgPii-nnWVhDdEb0ijhAzT
## YARA Rule ##
rule Invicta_Stealer{
meta:
author = "theatha"
source = "brandefense.io"
date = "10.07.2023"
strings:
$s1 = "%4095[^;"
$main_func = {F2 0F 58 C6 E8 62 C1 15 00 B9 64 00 00 00 F2 0F 58
F8 FF 15 73 50 16 00}
condition:
all of them and filesize<3000KB
}