decrypt payload stored as IPv6 strings

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: decrypt payload stored as IPv6 strings
    namespace: load-code
    authors:
      - corkami@google.com
    scopes:
      static: function
      dynamic: call
  features:
    - and:
      - string: "RtlIpv6StringToAddressA"
      - or:
        - string: "4D5A:9000:0300:0000:0400:0000:FFFF:0000"
          description: PE header
        - string: "5648:89E6:4883:E4F0:4883:EC20:E80F:0000"
          description: Havoc shellcode

last edited: 2026-05-15 10:32:33