Play interactive tour

Edit tour

Windows Analysis Report FACTURA.exe

Overview

General Information

Sample Name:	FACTURA.exe
Analysis ID:	1568
MD5:	740463ed3266f7aee8331978f50c731c
SHA1:	a9310948476693d72be937f23e1b53b3607bf92f
SHA256:	fa9e12a03b909482d5bacd2d7ab1a8d672528bfcf43402c04b6d3a30702b0c4d
Infos:
Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz HawkEye Imminent Remcos AESCRYPT Ransomware Annabelle

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected PasteDownloader

Yara detected LaZagne password dumper

Yara detected Metasploit Payload

Yara detected LazParking Ransomware

Yara detected Neshta

Detected Hacktool Mimikatz

Yara detected Discord Token Stealer

Yara detected MailPassView

Yara detected BlackMoon Ransomware

Yara detected Snake Keylogger

Yara detected Parallax RAT

Yara detected Zeppelin Ransomware

Yara detected Ragnarok ransomware

Yara detected Apis Ransomware

Yara detected Wannacry ransomware

Yara detected MegaCortex Ransomware

Yara detected Valak

Yara detected AntiVM3

Yara detected Cobra Locker ransomware

Yara detected RekenSom ransomware

Yara detected Avaddon Ransomware

Yara detected Babuk Ransomware

Yara detected Nemty Ransomware

Yara detected NetWire RAT

Yara detected Linux EvilGnome RC5 key

Yara detected Mini RAT

Yara detected BLACKMatter Ransomware

Yara detected Clay Ransomware

Yara detected Thanos ransomware

Yara detected Koadic

Yara detected Jigsaw

Yara detected CryLock ransomware

Yara detected Pony

Yara detected Sapphire Ransomware

Yara detected OCT Ransomware

Yara detected Snatch Ransomware

Yara detected VBKeyloggerGeneric

Antivirus detection for URL or domain

Yara detected AESCRYPT Ransomware

Yara detected RansomwareGeneric

Yara detected Silvertor Ransomware

Yara detected Coinhive miner

Yara detected Ouroboros ransomware

Yara detected Annabelle Ransomware

Yara detected Gocoder ransomware

Detected Imminent RAT

Yara detected LimeRAT

Yara detected BitCoin Miner

Yara detected WannaRen ransomware

Yara detected GuLoader

Yara detected Chaos Ransomware

Yara detected Hancitor

Found malware configuration

Yara detected Mock Ransomware

Yara detected Conti ransomware

Yara detected Generic Dropper

Yara detected NoCry Ransomware

Yara detected ByteLocker Ransomware

Yara detected RegretLocker Ransomware

Yara detected Meterpreter

Yara detected Clop Ransomware

Yara detected Ryuk ransomware

Yara detected Xmrig cryptocurrency miner

Yara detected Porn Ransomware

Yara detected LockBit ransomware

Yara detected DarkSide Ransomware

Yara detected LOCKFILE ransomware

Malicious sample detected (through community Yara rule)

Yara detected Cerber ransomware

Yara detected HiddenTear ransomware

Yara detected Telegram RAT

Yara detected Rhino ransomware

Yara detected Mailto ransomware

Yara detected CoronaCrypt Ransomware

Yara detected Voidcrypt Ransomware

Yara detected Njrat

Yara detected Buran Ransomware

Yara detected GoGoogle ransomware

Yara detected VHD ransomware

Yara detected generic Shellcode Injector

Yara detected Axiom Ransomware

Yara detected Artemon Ransomware

Yara detected Netwalker ransomware

Yara detected Vidar stealer

Yara detected Jcrypt Ransomware

Yara detected Covid19 Ransomware

Yara detected UACMe UAC Bypass tool

Yara detected Delta Ransomware

Yara detected Predator

Yara detected Mimikatz

Detected HawkEye Rat

Yara detected AveMaria stealer

Yara detected Nukesped

Yara detected LokiLocker Ransomware

Detected Remcos RAT

Yara detected Cryptolocker ransomware

Yara detected Marvel Ransomware

Multi AV Scanner detection for domain / URL

Yara detected Codoso Ghost

Yara detected Cute Ransomware

Yara detected Growtopia

Yara detected Xorist ransomware

Yara detected Windows Security Disabler

Yara detected Dorkbot

Yara detected RevengeRAT

Contains VNC / remote desktop functionality (version string found)

Found strings related to Crypto-Mining

Found Tor onion address

Yara detected MaliciousMacro

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Sample is not signed and drops a device driver

May modify the system service descriptor table (often done to hook functions)

Yara detected AllatoriJARObfuscator

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Found string related to ransomware

Yara detected MSILLoadEncryptedAssembly

Yara detected VB6 Downloader Generic

Contains functionality to hide user accounts

Yara detected BatToExe compiled binary

May drop file containing decryption instructions (likely related to ransomware)

Binary or sample is protected by dotNetProtector

May enable test signing (to load unsigned drivers)

Deletes shadow drive data (may be related to ransomware)

Yara detected Autohotkey Downloader Generic

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Sample execution stops while process was sleeping (likely an evasion)

Drops files with a non-matching file extension (content does not match file extension)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Creates driver files

Binary contains a suspicious time stamp

May initialize a security null descriptor

Yara detected Keylogger Generic

Uses 32bit PE files

Yara signature match

Deletes files inside the Windows folder

Contains functionality to query the security center for anti-virus and firewall products

Creates files inside the system directory

May infect USB drives

PE file contains sections with non-standard names

Yara detected Credential Stealer

Found dropped PE file which has not been started or loaded

Yara detected RemCom RemoteAdmin tool

PE file contains executable resources (Code or Archives)

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Contains strings related to BOT control commands

Enables security privileges

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Yara detected Winexe tool

Classification

Process Tree

System is w10x64native

FACTURA.exe (PID: 7040 cmdline: 'C:\Users\user\Desktop\FACTURA.exe' MD5: 740463ED3266F7AEE8331978F50C731C)

WerFault.exe (PID: 8016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 848 MD5: 40A149513D721F096DDF50C04DA2F01F)

WerFault.exe (PID: 2516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 856 MD5: 40A149513D721F096DDF50C04DA2F01F)

UserOOBEBroker.exe (PID: 2888 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)

mpam-5e107659.exe (PID: 6940 cmdline: 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe' /q WD MD5: 58454E5B478373BF68420AE5D49380D4)

MpSigStub.exe (PID: 5556 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.16.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)

wevtutil.exe (PID: 4104 cmdline: C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

wevtutil.exe (PID: 6840 cmdline: C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 2644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

mpam-fad3e9a8.exe (PID: 1248 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-fad3e9a8.exe MD5: 34B7B3BDFA61E18D3B2C3B0AC92B78EF)

cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Execute Command", "Command": "\u0001"}

Threatname: CryLock

{"Extensions": "%d str_charcodeat DosDateTimeToFileTime() failed, err = %d str_tolowercase String.prototype.toLowerCase() is not a constructor const pea_calls_unimplemented_api  Intel(R) Core(TM)2 CPU         T7200  @ 2.00GHz(MSI Stream %d)(Ole Stream %d)0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._SSF:ScanAllStreamselement.getElementsByTagName() called on non-DOM objectcryptoMpCommon(Message.%zu: %hs - %hs)(Message.%zu)No subject%lld"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000024.00000003.6293943264.00000197A31B6000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x2f5af:$a: Cookies: Sym1.0 0x2f550:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0xf57f:$x1: zxplug -add 0xf58b:$x2: getxxx c:\xyz.dll
00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xd5e:$opbs48: se'.(32*2) 0x179f:$php_short: <? 0x184cc:$php_short: <? 0x179f:$php_new2: <?php
00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x8238:$: \\.\pipe\%s%s%d
00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1ce01:$opbs73: eval(str_rot13( 0x6525:$php_short: <? 0xf324:$php_short: <? 0x1f6db:$php_short: <? 0x33597:$php_short: <? 0x33ae7:$php_short: <? 0x37c06:$php_short: <? 0x6525:$php_new1: <?=$
00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x23b4a:$s1: .CreateObject("WScript.Shell") 0x20175:$p1: powershell.exe 0x20c53:$p1: powershell.exe 0x23b7b:$p1: powershell.exe
00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x2c897:$s3: hhhhh.exe 0x2c881:$s4: ttttt.exe 0x2c86b:$s6: cle.log.1
00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2abc1:$s1: stratum+tcp:// 0x2ac01:$s1: stratum+tcp://
00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0xa3d8:$a: Amplia Security 0xa4a5:$e: extract the TGT session key
00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x47e1:$payload_and_input1: eval(request[ 0x7d16:$tagasp_short1: <%@ 0x7d3b:$tagasp_short1: <%v 0x2f464:$tagasp_short1: <%\xEF 0x7d39:$tagasp_short2: %> 0x1a769:$tagasp_short2: %> 0x316c3:$tagasp_short2: %> 0x34885:$tagasp_short2: %> 0x3af14:$tagasp_short2: %> 0x7d16:$tagasp_long20: <%@pagelanguage="jscript
00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x45ed:$s1: stratum+tcp://
00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x23a78:$cUp: Upload failed! [Remote error code:
00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x164fe:$new_php2: <?php 0x16f20:$new_php2: <?php 0x16503:$dynamic1: $_system($ 0x1715:$gen_bit_sus47: Shell 0x1a08:$gen_bit_sus47: Shell 0x2062:$gen_bit_sus47: Shell 0x33f6:$gen_bit_sus47: Shell 0x3420:$gen_bit_sus47: Shell 0x344a:$gen_bit_sus47: Shell 0x347c:$gen_bit_sus47: Shell 0x34bc:$gen_bit_sus47: Shell 0x3500:$gen_bit_sus47: Shell 0x15d9d:$gen_bit_sus47: Shell 0x5c83:$gen_bit_sus50: bypass 0x148dd:$gen_bit_sus61: /bin/sh 0x15d4d:$gen_much_sus8: Webshell 0x16289:$gen_much_sus8: webshell 0x16bab:$gen_much_sus8: WebShell 0x16f0b:$gen_much_sus8: WebShell 0x2ef0a:$gen_much_sus8: WebShell 0x1dfdb:$gen_much_sus15: Antivirus
00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6336234827.00000197A31B6000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x33807:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67 0x33817:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x1871e:$x3: lsadump::dcsync
00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x3c3cd:$s2: system.net.webclient).downloadstring('http
00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x187e7:$s5: sekurlsa::tspkg 0x187a4:$s13: sekurlsa::ekeys 0x18761:$s14: sekurlsa::dpapi
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x70b2:$payload7: eval(base64_decode( 0x70ad:$php_short: <? 0x89aa:$php_short: <? 0x9a89:$php_short: <? 0x14c27:$php_short: <? 0x89aa:$php_new1: <?=$ 0x70ad:$php_new2: <?php 0x9a89:$php_new2: <?php
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x70ad:$new_php2: <?php 0x9a89:$new_php2: <?php 0xaffb:$dynamic1: $split[stringlen($ 0xa01d:$gen_bit_sus11: "cmd.exe 0x1df34:$gen_bit_sus11: "cmd.exe 0x9811:$gen_bit_sus50: bypass 0x7097:$gen_much_sus8: Webshell 0x8b88:$gen_much_sus8: Webshell 0xaba5:$gen_much_sus8: WebShell 0xabf8:$gen_much_sus8: WebShell 0x1bc0b:$gen_much_sus8: Webshell 0x1bee5:$gen_much_sus8: Webshell 0x1dcc2:$gen_much_sus8: webshell 0x97fc:$gen_much_sus15: antivirus 0x1e505:$gen_much_sus18: "unsafe 0x85aa:$gen_much_sus25: Exploit 0x8e6d:$gen_much_sus25: Exploit 0x9156:$gen_much_sus25: Exploit 0x9d04:$gen_much_sus25: Exploit 0xa139:$gen_much_sus25: Exploit 0xa380:$gen_much_sus25: Exploit
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x9e1a:$opbs73: eval(str_rot13( 0x70ad:$php_short: <? 0x89aa:$php_short: <? 0x9a89:$php_short: <? 0x14c27:$php_short: <? 0x89aa:$php_new1: <?=$ 0x70ad:$php_new2: <?php 0x9a89:$php_new2: <?php
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x1e4ed:$payload_and_input1: eval(request. 0x818e:$tagasp_short1: <%@ 0x1e4d0:$tagasp_short1: <%@ 0x1e4eb:$tagasp_short1: <%e 0x81b6:$tagasp_short2: %> 0x126b9:$tagasp_short2: %> 0x1e4e9:$tagasp_short2: %> 0x1e50f:$tagasp_short2: %> 0x1e4eb:$tagasp_long13: <%ev 0x1e4d0:$tagasp_long20: <%@pagelanguage="jscript 0x1c1f4:$jsp4: public
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x7097:$asp_much_sus8: Webshell 0x8b88:$asp_much_sus8: Webshell 0xaba5:$asp_much_sus8: WebShell 0xabf8:$asp_much_sus8: WebShell 0x1bc0b:$asp_much_sus8: Webshell 0x1bee5:$asp_much_sus8: Webshell 0x1dcc2:$asp_much_sus8: webshell 0x97fc:$asp_much_sus15: antivirus 0x1e505:$asp_much_sus18: "unsafe 0xab6f:$asp_much_sus33: hacker 0xa01d:$asp_gen_sus11: "cmd.exe 0x1df34:$asp_gen_sus11: "cmd.exe 0x84e2:$asp_gen_obf1: "+" 0x84e9:$asp_gen_obf1: "+" 0xa15c:$asp_gen_obf1: "+" 0xa160:$asp_gen_obf1: "+" 0xa165:$asp_gen_obf1: "+" 0xa16a:$asp_gen_obf1: "+" 0xa16e:$asp_gen_obf1: "+" 0xa172:$asp_gen_obf1: "+" 0xa177:$asp_gen_obf1: "+"
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x1e175:$payload2: eval(gzinflate(base64_decode( 0x1acb:$php_short: <? 0x24e2:$php_short: <? 0x24f6:$php_short: <? 0x19a9f:$php_short: <? 0x1d0ff:$php_short: <? 0x3c44d:$php_short: <? 0x3c49b:$php_short: <? 0x3c44d:$php_new2: <?php 0x3c49b:$php_new2: <?php
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x3c44d:$new_php2: <?php 0x3c49b:$new_php2: <?php 0x3c452:$dynamic1: $_system($ 0x1bda7:$dynamic5: $__() 0x3b2fa:$gen_bit_sus11: "cmd.exe 0x22898:$gen_bit_sus12: %comspec% 0xa23e:$gen_bit_sus46: shell_ 0xa291:$gen_bit_sus46: shell_ 0x3dffc:$gen_bit_sus47: Shell 0x1c67a:$gen_bit_sus50: bypass 0x1c730:$gen_bit_sus50: bypass 0x1b2ac:$gen_bit_sus55: e'.'v 0x1b2b0:$gen_bit_sus55: v'.'a 0x1b2b4:$gen_bit_sus55: a'.'l 0x1b2c4:$gen_bit_sus55: z'.'i 0x1b2c9:$gen_bit_sus55: n'.'f 0x1b2cd:$gen_bit_sus55: f'.'l 0x1dd42:$gen_bit_sus56: m"."d 0x1dd48:$gen_bit_sus56: e"."x 0x1c93b:$gen_bit_sus59: 'cmd' 0x30bdb:$gen_bit_sus62: Cyber
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1b2ac:$opbs18: e'.'v'.'a'.'l 0x1acb:$php_short: <? 0x24e2:$php_short: <? 0x24f6:$php_short: <? 0x19a9f:$php_short: <? 0x1d0ff:$php_short: <? 0x3c44d:$php_short: <? 0x3c49b:$php_short: <? 0x3c44d:$php_new2: <?php 0x3c49b:$php_new2: <?php
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1d692:$s1: stratum+tcp://
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x1f536:$: \\.\pipe\%s%s%d
00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1ce01:$opbs73: eval(str_rot13( 0x6525:$php_short: <? 0xf324:$php_short: <? 0x1f6db:$php_short: <? 0x33597:$php_short: <? 0x33ae7:$php_short: <? 0x37c06:$php_short: <? 0x6525:$php_new1: <?=$
00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x82eb:$s1: stratum+tcp:// 0x2752e:$s1: stratum+tcp://
00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x1ad5b:$x3: lsadump::dcsync
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x1acec:$s1: sekurlsa::msv 0x1acd6:$s2: sekurlsa::wdigest 0x1acab:$s4: sekurlsa::kerberos 0x1ac52:$s5: sekurlsa::tspkg 0x1ac3c:$s6: sekurlsa::livessp 0x1ac2a:$s7: sekurlsa::ssp 0x1ac14:$s9: sekurlsa::process 0x1ac7c:$s11: sekurlsa::pth 0x1ac66:$s12: sekurlsa::tickets 0x1acc2:$s13: sekurlsa::ekeys 0x1abcf:$s14: sekurlsa::dpapi 0x1abb9:$s15: sekurlsa::credman
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x55af:$s1: stratum+tcp://
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6349431685.00000197A36F1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x27498:$s1: stratum+tcp:// 0x280b4:$s1: stratum+tcp://
00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3211c:$s1: stratum+tcp://
00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp	APT9002Strings	9002 Identifying Strings	Seth Hardy	0x4e86:$: %%TEMP%%\%s_p.ax
00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xa6f2:$sa2: -EncodedCommand 0xa6e3:$sb2: -window hidden 0x19bb5:$sc1: -nop 0x19bc6:$sd1: -noni
00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x9789:$cUp: Upload failed! [Remote error code: 0x9869:$GDGSYDLYR: GDGSYDLYR_%
00000024.00000003.6340510692.00000197A4B3C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1ce01:$opbs73: eval(str_rot13( 0x6525:$php_short: <? 0xf324:$php_short: <? 0x1f6db:$php_short: <? 0x33597:$php_short: <? 0x33ae7:$php_short: <? 0x37c06:$php_short: <? 0x6525:$php_new1: <?=$
00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3111c:$s1: stratum+tcp://
00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x82eb:$s1: stratum+tcp:// 0x2752e:$s1: stratum+tcp://
00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x29107:$s1: stratum+tcp:// 0x2dc08:$s1: stratum+tcp://
00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x1c1e0:$s2: sekurlsa::wdigest 0x1c111:$s6: sekurlsa::livessp 0x1c156:$s9: sekurlsa::process 0x1c19b:$s12: sekurlsa::tickets 0x1c0cc:$s15: sekurlsa::credman
00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x1ad4b:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1af5b:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1ad4b:$c1: Elevation:Administrator!new: 0x1af5b:$c1: Elevation:Administrator!new: 0x1acf2:$c6: ConsentPromptBehaviorAdmin 0x1af02:$c6: ConsentPromptBehaviorAdmin
00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2541b:$a1: certutil -decode
00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6332385174.00000197A4180000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xd5e:$opbs48: se'.(32*2) 0x179f:$php_short: <? 0x184cc:$php_short: <? 0x179f:$php_new2: <?php
00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x23c95:$new_php2: <?php 0x77af:$dynamic3: $U\xBF(' 0x2243e:$gen_bit_sus11: "cmd.exe 0x23085:$gen_bit_sus11: "cmd.exe 0x242d8:$gen_bit_sus12: %comspec% 0x23ca0:$gen_bit_sus46: shell_ 0x2a319:$gen_bit_sus47: Shell 0x2baa9:$gen_bit_sus47: Shell 0x5eab:$gen_bit_sus62: Cyber 0x5ed6:$gen_bit_sus62: Cyber 0x23c7b:$gen_much_sus8: WebShell 0x26a18:$gen_much_sus15: AntiVirus 0x2713c:$gen_much_sus15: AntiVirus 0x27f65:$gen_much_sus15: antivirus 0x28042:$gen_much_sus15: antivirus 0x28056:$gen_much_sus15: antivirus 0x2d83f:$gen_much_sus15: Antivirus 0x23c57:$gen_much_sus18: "unsafe 0x24600:$gen_much_sus24: exploit 0x227f0:$gen_much_sus25: Exploit 0x22ab1:$gen_much_sus25: Exploit
00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x23c3e:$payload_and_input1: eval(request. 0x23c3c:$tagasp_short1: <%e 0x23c61:$tagasp_short2: %> 0x23c3c:$tagasp_long13: <%ev 0x2a243:$jsp4: public 0x2a2a1:$jsp4: public
00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0xe4ef:$substring: AAAAYInlM 0xe4eb:$pattern1: /OiCAAAAYInlM
00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x9164:$s1: .CreateObject("WScript.Shell") 0x2fbee:$s1: .CreateObject("WScript.Shell") 0x2c17d:$p1: powershell.exe 0x2c1d3:$p1: powershell.exe 0x39fb8:$p1: powershell.exe 0x2c1a0:$p2: -ExecutionPolicy Bypass 0x2c1f6:$p2: -ExecutionPolicy Bypass 0xe4c7:$p3: [System.Convert]::FromBase64String(
00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x175a4:$s1: powershell.exe -nop -w hidden -e 0x1640a:$s2: Call Shell( 0x17794:$s3: Sub Workbook_Open()
00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x3aa7:$n1: file:// 0x255cd:$n1: file:// 0x3f3f:$ax2: 5.153.58.45
00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x15c42:$s1: stratum+tcp://
00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1963d:$s1: stratum+tcp://
00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6272159714.00000197A331E000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6356649431.00000197A36F1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x138b6:$s1: stratum+tcp://
00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x82eb:$s1: stratum+tcp:// 0x2752e:$s1: stratum+tcp://
00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x1046d:$s4: sekurlsa::kerberos
00000024.00000003.6300924417.00000197A4314000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x82eb:$s1: stratum+tcp:// 0x2752e:$s1: stratum+tcp://
00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x243e6:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x35bcc:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x35bee:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xc8fc:$s1: stratum+tcp://
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x28019:$: OnlineTime= 0x28057:$: clientpath= 0x28066:$: serverpath=
00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1ce01:$opbs73: eval(str_rot13( 0x6525:$php_short: <? 0xf324:$php_short: <? 0x1f6db:$php_short: <? 0x33597:$php_short: <? 0x33ae7:$php_short: <? 0x37c06:$php_short: <? 0x6525:$php_new1: <?=$
00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6354837161.00000197A4180000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xd5e:$opbs48: se'.(32*2) 0x179f:$php_short: <? 0x184cc:$php_short: <? 0x179f:$php_new2: <?php
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0xdd78:$enc_eval1: \x65\x76\x61\x6c\x28 0xdd78:$enc_eval2: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x36ab7:$new_php2: <?php 0x363c2:$dynamic3: $_server[base64_decode(' 0xce4c:$gen_bit_sus11: "cmd.exe 0xced8:$gen_bit_sus11: "cmd.exe 0xcfef:$gen_bit_sus11: "cmd.exe 0xfdcb:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2e9d3:$gen_bit_sus47: Shell 0x212fd:$gen_bit_sus50: bypass 0x3621e:$gen_bit_sus50: bypass 0x36458:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x34c4a:$gen_bit_sus69: $cmd 0xe1be:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x35289:$gen_much_sus8: WebShell 0x35525:$gen_much_sus8: Webshell 0x36409:$gen_much_sus8: Webshell
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xdd78:$opbs77: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6341599132.00000197A3621000.00000004.00000001.sdmp	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x2f5af:$a: Cookies: Sym1.0 0x2f550:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x138b6:$s1: stratum+tcp://
00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x2ff92:$a: XTREME 0x2ffa4:$a: XTREME 0x2ffa4:$b: XTREMEBINDER
00000024.00000003.6350988033.00000197A3FA2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2be:$s1: stratum+tcp://
00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x429d9:$payload4: eval(gzuncompress(base64_decode 0x27a1a:$php_short: <? 0x27a83:$php_short: <? 0x27aec:$php_short: <? 0x27b55:$php_short: <? 0x27bbe:$php_short: <? 0x2c093:$php_short: <? 0x30d39:$php_short: <? 0x50b28:$php_short: <? 0x27a1a:$php_new2: <?php 0x27a83:$php_new2: <?php 0x27aec:$php_new2: <?php 0x27b55:$php_new2: <?php 0x27bbe:$php_new2: <?php
00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x11b39:$one6: Shell Environ$("COMSPEC") & " /c
00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2abc1:$s1: stratum+tcp:// 0x2ac01:$s1: stratum+tcp://
00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6314037891.00000197A4314000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x27f53:$xo1: Ik~mhhe+1*4
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xff95:$xo1: Ik~mhhe+1*4
00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x3b8ac:$: odhyrfjcnfkdtslt
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0xd67e:$payload7: eval(base64_decode( 0xd669:$php_short: <? 0xe4dd:$php_short: <? 0x26827:$php_short: <? 0xd669:$php_new2: <?php 0xe4dd:$php_new2: <?php
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xd734:$s1: stratum+tcp://
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x333a3:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x33bae:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x33bbe:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x12e1d:$s1: WScript.Shell").run
00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1f5a7:$s1: stratum+tcp:// 0x21897:$s1: stratum+tcp://
00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x21ed4:$s1: Stratum notify: invalid Merkle branch
00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000024.00000003.6339772836.00000197A3E9A000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xc77e:$s1: stratum+tcp://
00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xf0c5:$a5: certutil -urlcache -split -f http
00000024.00000003.6330651040.00000197A36F1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x34aac:$s1: stratum+tcp://
00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x2f349:$payload_and_input1: eval(request. 0x2f329:$tagasp_short1: <%@ 0x2f347:$tagasp_short1: <%e 0x35e79:$tagasp_short1: <%\xC4 0x3eae6:$tagasp_short1: <%\x1D 0x1c67:$tagasp_short2: %> 0x109f7:$tagasp_short2: %> 0x11547:$tagasp_short2: %> 0x123a7:$tagasp_short2: %> 0x3a8b6:$tagasp_short2: %> 0x2f347:$tagasp_long13: <%ev
00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x11b39:$one6: Shell Environ$("COMSPEC") & " /c
00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x1a043:$r2: p^owershell
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x170eb:$x1: iex ((new-object net.webclient).Download
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x1a391:$sb1: -w Hidden 0x1a13d:$sb3: -windowstyle hidden 0x1a132:$sc2: -noprofile 0x1a11a:$se3: -ExecutionPolicy bypass
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x1f536:$: \\.\pipe\%s%s%d
00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2ec46:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2eb23:$rat2: rat.(Core).generateBeacon 0x2eb40:$rat3: rat.gJitter 0x2eb4e:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2ebb4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2ec1c:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2ec46:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2ec74:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2eafa:$winblows: rat/platforms/win.(winblows).GetStage
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	REDLEAVES_CoreImplant_UniqueStrings	Strings identifying the core REDLEAVES RAT in its deobfuscated state	USG	0xf21:$unique4: red_autumnal_leaves_dllmain.dll 0xd6d:$unique7: \NamePipe_MoreWindows
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x8a8:$a1: certutil -decode
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	CobaltStrike_MZ_Launcher	Detects CobaltStrike MZ header ReflectiveLoader launcher	yara@s3c.za.net	0x21279:$mz_launcher: 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x35f9:$s1: stratum+tcp://
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x3a3f:$s1: WScript.Shell").run
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	Ham_backdoor	unknown	Cylance Spear Team	0x658:$a: 8D 14 3E 8B 7D FC 8A 0C 11 32 0C 38 40 8B 7D 10 88 0A 8B 4D 08 3B C3
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp	malware_red_leaves_generic	Red Leaves malware, related to APT10	David Cannings	0xdd7:$: I can not start %s 0xe5f:$: dwConnectPort 0xe71:$: dwRemoteLanPort 0xe85:$: strRemoteLanAddress 0xe9d:$: strLocalConnectIp 0xd5d:$: \\.\pipe\NamePipe_MoreWindows 0xd9d:$: RedLeavesCMDSimulatorMutex 0xca0:$: (NT %d.%d Build %d) 0xf21:$: red_autumnal_leaves_dllmain.dll 0xbce:$: __data 0xbe2:$: __serial 0xbf8:$: __upt
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	webshell_php_base64_encoded_payloads	php webshell containing base64 encoded payload	Arnim Rupp	0x14efc:$decode1: base64_decode 0x156c3:$decode1: base64_decode 0x157cc:$decode1: base64_decode 0x15819:$decode1: base64_decode 0x15837:$decode1: base64_decode 0xd158:$four1: zeXN0ZW 0x15e97:$php_short: <? 0x15e97:$php_new2: <?php
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x156be:$payload7: eval(base64_decode( 0x15814:$payload7: eval(base64_decode( 0x15e97:$php_short: <? 0x15e97:$php_new2: <?php
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x15e97:$new_php2: <?php 0x14a98:$dynamic1: $_session[md5($ 0x14b02:$dynamic1: $_session[md5($ 0x19870:$gen_bit_sus2: .replace(/y/g 0x2fd92:$gen_bit_sus11: "cmd.exe 0x38872:$gen_bit_sus29: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 0x14d6b:$gen_bit_sus35: crack 0x1566f:$gen_bit_sus46: shell_ 0x15e3e:$gen_bit_sus46: shell_ 0x13bb4:$gen_bit_sus47: Shell 0x15501:$gen_bit_sus47: Shell 0x17e5e:$gen_bit_sus47: Shell 0x2c4b7:$gen_bit_sus47: Shell 0x150e7:$gen_bit_sus50: bypass 0x1a240:$gen_bit_sus50: bypass 0x32316:$gen_bit_sus50: bypass 0x15f43:$gen_bit_sus60: "execute" 0x15df4:$gen_bit_sus69: $cmd 0x13cbf:$gen_much_sus8: Webshell 0x33510:$gen_much_sus15: antivirus 0x2c432:$gen_much_sus16: mcafee
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	webshell_php_by_string_known_webshell	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.	Arnim Rupp	0x1602c:$pbs3: "b374k 0x14a1f:$pbs6: 0de664ecd2be02cdd54234a0d1229b43 0x15e97:$php_short: <? 0x15e97:$php_new2: <?php
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0xdd78:$enc_eval1: \x65\x76\x61\x6c\x28 0xdd78:$enc_eval2: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x36ab7:$new_php2: <?php 0x363c2:$dynamic3: $_server[base64_decode(' 0xce4c:$gen_bit_sus11: "cmd.exe 0xced8:$gen_bit_sus11: "cmd.exe 0xcfef:$gen_bit_sus11: "cmd.exe 0xfdcb:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2e9d3:$gen_bit_sus47: Shell 0x212fd:$gen_bit_sus50: bypass 0x3621e:$gen_bit_sus50: bypass 0x36458:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x34c4a:$gen_bit_sus69: $cmd 0xe1be:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x35289:$gen_much_sus8: WebShell 0x35525:$gen_much_sus8: Webshell 0x36409:$gen_much_sus8: Webshell
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xdd78:$opbs77: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3b7f3:$s1: stratum+tcp://
00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x2343d:$s1: .CreateObject("WScript.Shell") 0x2d6ef:$s1: .CreateObject("WScript.Shell") 0x5ccd:$p1: powershell.exe 0x3afdf:$p1: powershell.exe
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	HackTool_Samples	Hacktool	unknown	0x2a9e:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x12960:$s1: stratum+tcp:// 0x1298b:$s1: stratum+tcp:// 0x13d17:$s1: stratum+tcp://
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x378b:$: Neo,welcome to the desert of real.
00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x2a2dd:$hook: C6 06 FF 46 C6 06 25 0x2a2e8:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x38778:$s15: [+] OK! I Closed The Two Socket.
00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x27498:$s1: stratum+tcp:// 0x280b4:$s1: stratum+tcp://
00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3b7f3:$s1: stratum+tcp://
00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6310770552.00000197A4B3C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp	HackTool_MSIL_SharPersist_2	unknown	FireEye	0xf2aa:$a1: SharPersist.lib 0xf2be:$a2: SharPersist.exe 0xf2d2:$b1: ERROR: Invalid hotkey location option given. 0xf303:$b2: ERROR: Invalid hotkey given. 0xf324:$b3: ERROR: Keepass configuration file not found. 0xf355:$b4: ERROR: Keepass configuration file was not found. 0xf38a:$b5: ERROR: That value already exists in: 0xf3b3:$b6: ERROR: Failed to delete hidden registry key. 0xf3e4:$pdb1: \SharPersist\ 0xf3f6:$pdb2: \SharPersist.pdb
00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xb684:$sb1: -W hidden 0xb67f:$sc1: -nop 0xb68e:$sd2: -noninteractive 0xb672:$se2: -exec bypass 0xb672:$se4: -exec bypass
00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp	JoeSecurity_Growtopia	Yara detected Growtopia	Joe Security
00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xdc54:$s1: stratum+tcp:// 0xddca:$s1: stratum+tcp://
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0xa67:$s1: wscript.shell").Run 0x133f:$s1: wscript.shell").Run
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x39288:$s1: sekurlsa::msv 0x3930a:$s7: sekurlsa::ssp 0x392c9:$s11: sekurlsa::pth
00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x429d9:$payload4: eval(gzuncompress(base64_decode 0x27a1a:$php_short: <? 0x27a83:$php_short: <? 0x27aec:$php_short: <? 0x27b55:$php_short: <? 0x27bbe:$php_short: <? 0x2c093:$php_short: <? 0x30d39:$php_short: <? 0x50b28:$php_short: <? 0x27a1a:$php_new2: <?php 0x27a83:$php_new2: <?php 0x27aec:$php_new2: <?php 0x27b55:$php_new2: <?php 0x27bbe:$php_new2: <?php
00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x11b39:$one6: Shell Environ$("COMSPEC") & " /c
00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000024.00000003.6356061064.00000197A47A0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2ec46:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2eb23:$rat2: rat.(Core).generateBeacon 0x2eb40:$rat3: rat.gJitter 0x2eb4e:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2ebb4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2ec1c:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2ec46:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2ec74:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2eafa:$winblows: rat/platforms/win.(winblows).GetStage
00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	webshell_php_generic	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings	Arnim Rupp	0x26f36:$php_short: <? 0x26f75:$php_short: <? 0x26fb5:$php_short: <? 0x26ff8:$php_short: <? 0x27042:$php_short: <? 0x2735f:$php_short: <? 0x2744d:$php_short: <? 0x2753a:$php_short: <? 0x27593:$php_short: <? 0x27711:$php_short: <? 0x26f36:$php_new2: <?php 0x26f75:$php_new2: <?php 0x26fb5:$php_new2: <?php 0x26ff8:$php_new2: <?php 0x27042:$php_new2: <?php 0x2735f:$php_new2: <?php 0x2753a:$php_new2: <?php 0x27593:$php_new2: <?php 0x27711:$php_new2: <?php 0x27ace:$inp4: _POST[ 0x26f59:$cpayload1: eval($
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x2791b:$payload_and_input1: eval(request. 0x26ed0:$tagasp_short1: <%e 0x26ee6:$tagasp_short1: <%\x90 0x274b3:$tagasp_short1: <%e 0x275ee:$tagasp_short1: <%e 0x278fc:$tagasp_short1: <%@ 0x27919:$tagasp_short1: <%e 0x63ea:$tagasp_short2: %> 0x1ca46:$tagasp_short2: %> 0x26ea5:$tagasp_short2: %> 0x26ece:$tagasp_short2: %> 0x26ee0:$tagasp_short2: %> 0x27602:$tagasp_short2: %> 0x27917:$tagasp_short2: %> 0x26ed0:$tagasp_long13: <%ev 0x274b3:$tagasp_long13: <%ev 0x275ee:$tagasp_long13: <%ev 0x27919:$tagasp_long13: <%ev
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xd4b7:$sb3: -WindowStyle Hidden 0x2ee14:$sb3: -Windowstyle hidden 0x2ee07:$se2: -exec bypass 0xd4cb:$se3: -ExecutionPolicy Bypass 0x2ee07:$se4: -exec bypass
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x2e61b:$one6: Shell Environ$("COMSPEC") & " /c 0x2e6e2:$one6: Shell Environ$("COMSPEC") & " /c 0x2ec65:$one6: Shell Environ$("COMSPEC") & " /c 0x2ec86:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x2ec18:$two5: NullRefrencedException 0x2ec30:$two6: error has occurred in user32.dll by 0x2ec18:$two7: NullRefrencedException
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp	webshell_php_generic	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings	Arnim Rupp	0x26f36:$php_short: <? 0x26f75:$php_short: <? 0x26fb5:$php_short: <? 0x26ff8:$php_short: <? 0x27042:$php_short: <? 0x2735f:$php_short: <? 0x2744d:$php_short: <? 0x2753a:$php_short: <? 0x27593:$php_short: <? 0x27711:$php_short: <? 0x26f36:$php_new2: <?php 0x26f75:$php_new2: <?php 0x26fb5:$php_new2: <?php 0x26ff8:$php_new2: <?php 0x27042:$php_new2: <?php 0x2735f:$php_new2: <?php 0x2753a:$php_new2: <?php 0x27593:$php_new2: <?php 0x27711:$php_new2: <?php 0x27ace:$inp4: _POST[ 0x26f59:$cpayload1: eval($
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x2791b:$payload_and_input1: eval(request. 0x26ed0:$tagasp_short1: <%e 0x26ee6:$tagasp_short1: <%\x90 0x274b3:$tagasp_short1: <%e 0x275ee:$tagasp_short1: <%e 0x278fc:$tagasp_short1: <%@ 0x27919:$tagasp_short1: <%e 0x63ea:$tagasp_short2: %> 0x1ca46:$tagasp_short2: %> 0x26ea5:$tagasp_short2: %> 0x26ece:$tagasp_short2: %> 0x26ee0:$tagasp_short2: %> 0x27602:$tagasp_short2: %> 0x27917:$tagasp_short2: %> 0x26ed0:$tagasp_long13: <%ev 0x274b3:$tagasp_long13: <%ev 0x275ee:$tagasp_long13: <%ev 0x27919:$tagasp_long13: <%ev
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xd4b7:$sb3: -WindowStyle Hidden 0x2ee14:$sb3: -Windowstyle hidden 0x2ee07:$se2: -exec bypass 0xd4cb:$se3: -ExecutionPolicy Bypass 0x2ee07:$se4: -exec bypass
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x2e61b:$one6: Shell Environ$("COMSPEC") & " /c 0x2e6e2:$one6: Shell Environ$("COMSPEC") & " /c 0x2ec65:$one6: Shell Environ$("COMSPEC") & " /c 0x2ec86:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x2ec18:$two5: NullRefrencedException 0x2ec30:$two6: error has occurred in user32.dll by 0x2ec18:$two7: NullRefrencedException
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x429d9:$payload4: eval(gzuncompress(base64_decode 0x2a84:$php_short: <? 0x7ac6:$php_short: <? 0x7e13:$php_short: <? 0x27a1a:$php_short: <? 0x27a83:$php_short: <? 0x27aec:$php_short: <? 0x27b55:$php_short: <? 0x27bbe:$php_short: <? 0x2c093:$php_short: <? 0x30d39:$php_short: <? 0x50b28:$php_short: <? 0x27a1a:$php_new2: <?php 0x27a83:$php_new2: <?php 0x27aec:$php_new2: <?php 0x27b55:$php_new2: <?php 0x27bbe:$php_new2: <?php
00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x18b28:$s1: stratum+tcp:// 0x195bc:$s1: stratum+tcp:// 0x1a968:$s1: stratum+tcp:// 0x1ac90:$s1: stratum+tcp://
00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x27498:$s1: stratum+tcp:// 0x280b4:$s1: stratum+tcp://
00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	Ammyy_Admin_AA_v3	Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe	Florian Roth	0x35759:$x1: S:\Ammyy\sources\target\TrService.cpp 0x35783:$x2: S:\Ammyy\sources\target\TrDesktopCopyRect.cpp 0x357b5:$x3: Global\Ammyy.Target.IncomePort 0x357d8:$x4: S:\Ammyy\sources\target\TrFmFileSys.cpp 0x35804:$x5: Please enter password for accessing remote computer 0x3568f:$s1: CreateProcess1()#3 %d error=%d 0x356b2:$s2: CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name. 0x356f6:$s3: ERROR: CreateProcessAsUser() error=%d, session=%d 0x3572c:$s4: ERROR: FindProcessByName('explorer.exe')
00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x13a35:$s1: "c" & "r" & "i" & "p" & "t"
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x27867:$sa2: -enCodEdCoMMANd 0x8cf9:$sb1: -w hidden 0x27853:$sb3: -WindOwsTyLe HiddEN 0x27848:$sc2: -NOPrOFiLe 0x27830:$se3: -ExECutioNPolicy bYpAsS
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x18011:$s1: stratum+tcp:// 0x1dc8f:$s1: stratum+tcp://
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x301aa:$s1: WscRipt.sHeLl").Run
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp	vanquish_2	Webshells Auto-generated - file vanquish.exe	Yara Bulk Rule Generator by Florian Roth	0x959:$s2: Vanquish - DLL injection failed:
00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x143ef:$s1: "c" & "r" & "i" & "p" & "t"
00000024.00000003.6333426467.00000197A331E000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x10fa6:$a1: logKextPassKey 0x10fd4:$b1: logKext Password: 0x10fe9:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x10fa6:$c1: logKextPassKey
00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x266cb:$s1: stratum+tcp://
00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x44b1:$r1: p^o^w^e^r^s^h^E^L^L 0x44b1:$r2: p^o^w^e^r^s^h^E^L^L
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x176d6:$s1: stratum+tcp:// 0x17771:$s1: stratum+tcp:// 0x178c8:$s1: stratum+tcp://
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x172dd:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x172b3:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x2d0b5:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1730e:$s6: %s\%s.bat
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x3dd6b:$substring: AAAAYInlM 0x3dd67:$pattern1: /OiCAAAAYInlM
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x31e9:$x4: reflective_inject_dll 0x31e9:$x8: reflective_inject_dll 0x31e9:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x223f8:$payload7: eval(base64_decode( 0x22422:$payload7: eval(base64_decode( 0x223f3:$php_short: <? 0x2241c:$php_short: <? 0x32fd0:$php_short: <? 0x35509:$php_short: <? 0x223f3:$php_new2: <?php 0x2241c:$php_new2: <?php
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp	JoeSecurity_EvilGnomeRC5Key	Yara detected Linux EvilGnome RC5 key	unknown
00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x138b6:$s1: stratum+tcp://
00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x138b6:$s1: stratum+tcp://
00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x2ad91:$r2: p^ower^shell
00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x23c95:$new_php2: <?php 0x77af:$dynamic3: $U\xBF(' 0x2243e:$gen_bit_sus11: "cmd.exe 0x23085:$gen_bit_sus11: "cmd.exe 0x242d8:$gen_bit_sus12: %comspec% 0x23ca0:$gen_bit_sus46: shell_ 0x2a319:$gen_bit_sus47: Shell 0x2baa9:$gen_bit_sus47: Shell 0x5eab:$gen_bit_sus62: Cyber 0x5ed6:$gen_bit_sus62: Cyber 0x23c7b:$gen_much_sus8: WebShell 0x26a18:$gen_much_sus15: AntiVirus 0x2713c:$gen_much_sus15: AntiVirus 0x27f65:$gen_much_sus15: antivirus 0x28042:$gen_much_sus15: antivirus 0x28056:$gen_much_sus15: antivirus 0x2d83f:$gen_much_sus15: Antivirus 0x23c57:$gen_much_sus18: "unsafe 0x24600:$gen_much_sus24: exploit 0x227f0:$gen_much_sus25: Exploit 0x22ab1:$gen_much_sus25: Exploit
00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x23c3e:$payload_and_input1: eval(request. 0x23c3c:$tagasp_short1: <%e 0x23c61:$tagasp_short2: %> 0x23c3c:$tagasp_long13: <%ev 0x2a243:$jsp4: public 0x2a2a1:$jsp4: public
00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6299736334.00000197A2ED4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0xdd78:$enc_eval1: \x65\x76\x61\x6c\x28 0xdd78:$enc_eval2: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x36ab7:$new_php2: <?php 0x363c2:$dynamic3: $_server[base64_decode(' 0xce4c:$gen_bit_sus11: "cmd.exe 0xced8:$gen_bit_sus11: "cmd.exe 0xcfef:$gen_bit_sus11: "cmd.exe 0xfdcb:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2e9d3:$gen_bit_sus47: Shell 0x212fd:$gen_bit_sus50: bypass 0x3621e:$gen_bit_sus50: bypass 0x36458:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x34c4a:$gen_bit_sus69: $cmd 0xe1be:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x35289:$gen_much_sus8: WebShell 0x35525:$gen_much_sus8: Webshell 0x36409:$gen_much_sus8: Webshell
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xdd78:$opbs77: \x65\x76\x61\x6c\x28 0x5676:$php_short: <? 0xc9ee:$php_short: <? 0xca79:$php_short: <? 0xcb04:$php_short: <? 0xfede:$php_short: <? 0x10d31:$php_short: <? 0x342da:$php_short: <? 0x3530f:$php_short: <? 0x36ab7:$php_short: <? 0x3a253:$php_short: <? 0x36ab7:$php_new2: <?php
00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2abc1:$s1: stratum+tcp:// 0x2ac01:$s1: stratum+tcp://
00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6270634530.00000197A4698000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x35ec2:$sb1: -w hidden 0x35ecc:$sc1: -nop 0x35ed1:$se1: -ep bypass 0x7d49:$se3: -ExecutionPolicy Bypass
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xfeb8:$s1: stratum+tcp://
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp	JoeSecurity_Cute	Yara detected Cute Ransomware	Joe Security
00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0xfebc:$payload7: eval(base64_decode( 0xd4d7:$php_short: <? 0xd507:$php_short: <? 0xdbf3:$php_short: <? 0x378dc:$php_short: <? 0x37d93:$php_short: <? 0x39caf:$php_short: <? 0x3a56b:$php_short: <? 0xd4d7:$php_new2: <?php 0x37d93:$php_new2: <?php 0x39caf:$php_new2: <?php 0x3a56b:$php_new2: <?php
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	webshell_php_by_string_known_webshell	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.	Arnim Rupp	0x394f7:$pbs7: pwnshell 0xd4d7:$php_short: <? 0xd507:$php_short: <? 0xdbf3:$php_short: <? 0x378dc:$php_short: <? 0x37d93:$php_short: <? 0x39caf:$php_short: <? 0x3a56b:$php_short: <? 0xd4d7:$php_new2: <?php 0x37d93:$php_new2: <?php 0x39caf:$php_new2: <?php 0x3a56b:$php_new2: <?php
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x2711b:$one3: srvCheckresponded
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x29a49:$s1: stratum+tcp://
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6328572357.00000197A4180000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xd5e:$opbs48: se'.(32*2) 0x179f:$php_short: <? 0x184cc:$php_short: <? 0x179f:$php_new2: <?php
00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x3e14:$s12: sekurlsa::tickets
00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x3778:$payload_and_input2: execute(request( 0x320b:$tagasp_short1: <%v 0x3776:$tagasp_short1: <%e 0xd619:$tagasp_short1: <%R 0x29da0:$tagasp_short1: <%\x03 0x2aac4:$tagasp_short1: <%\xC0 0x378f:$tagasp_short2: %> 0xa4fc:$tagasp_short2: %> 0x24f8a:$tagasp_short2: %> 0x3776:$tagasp_long12: <%ex 0x17400:$jsp4: public 0x17787:$jsp4: public
00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp	CVE_2018_4878_0day_ITW	unknown	unknown	0x2bce5:$known1: f:\work\flash\obfuscation\loadswf\src 0x2bce5:$known5: f:\work\flash\obfuscation\loadswf\src 0x2bcc2:$loader3: loadswf 0x2bcd3:$loader3: loadswf 0x2bcdd:$loader3: loadswf 0x2bcff:$loader3: loadswf 0xd6ed:$flash_magic: 46 57 53
00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0xfeb1:$x1: IEX ((new-object net.webclient).download 0xff04:$x1: IEX ((new-object net.webclient).download 0xff58:$x1: IEX ((new-object net.webclient).download 0xffb9:$x1: IEX ((new-object net.webclient).download
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	webshell_php_generic	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings	Arnim Rupp	0x774d:$php_short: <? 0x1f1a6:$php_short: <? 0x1f1a6:$php_new2: <?php 0x1f1b3:$inp4: _POST[ 0x17554:$cpayload1: eval(" 0x17605:$cpayload1: eval(" 0x1f1ad:$cpayload1: eval($ 0x3d502:$cpayload1: eval(f 0x368d9:$cpayload2: exec(" 0x7dd8:$gen_bit_sus1: :eval} 0xeb85:$gen_bit_sus10: "cmd" 0xa4f9:$gen_bit_sus12: %comspec% 0xff94:$gen_bit_sus46: shell_ 0x2cb0:$gen_bit_sus47: Shell 0x12f76:$gen_bit_sus47: Shell 0x12fb8:$gen_bit_sus47: Shell 0x12fd2:$gen_bit_sus47: Shell 0x13f6d:$gen_bit_sus47: Shell 0x3ee98:$gen_bit_sus47: Shell 0x31365:$gen_bit_sus61: /bin/sh 0xbd68:$gen_bit_sus66: whoami
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	webshell_php_generic_eval	Generic PHP webshell which uses any eval/exec function in the same line with user input	Arnim Rupp	0x1f1ad:$geval: eval($_POST
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x1f1a6:$new_php2: <?php 0xb0ab:$dynamic1: $duration($ 0xb0b5:$dynamic1: $calc($ 0xb0d7:$dynamic1: $bytes($ 0xb0de:$dynamic1: $calc($ 0xb0fe:$dynamic1: $calc($ 0xb524:$dynamic1: $nick($ 0x7dd8:$gen_bit_sus1: :eval} 0xeb85:$gen_bit_sus10: "cmd" 0xa4f9:$gen_bit_sus12: %comspec% 0xff94:$gen_bit_sus46: shell_ 0x2cb0:$gen_bit_sus47: Shell 0x12f76:$gen_bit_sus47: Shell 0x12fb8:$gen_bit_sus47: Shell 0x12fd2:$gen_bit_sus47: Shell 0x13f6d:$gen_bit_sus47: Shell 0x3ee98:$gen_bit_sus47: Shell 0x31365:$gen_bit_sus61: /bin/sh 0xbd68:$gen_bit_sus66: whoami 0x2e6a:$gen_much_sus25: Exploit 0x3085:$gen_much_sus25: Exploit
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x1f1cc:$payload_and_input2: execute request( 0x1f1ca:$tagasp_short1: <%e 0x1c5a8:$tagasp_short2: %> 0x1f1e9:$tagasp_short2: %> 0x1f1ca:$tagasp_long12: <%ex
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	ChinaChopper_Generic	China Chopper Webshells - PHP and ASPX	Florian Roth	0x1f1a8:$php: php @eval($_POST[
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp	JoeSecurity_mock	Yara detected Mock Ransomware	Joe Security
00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x12e1d:$s1: WScript.Shell").run
00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x2ff92:$a: XTREME 0x2ffa4:$a: XTREME 0x2ffa4:$b: XTREMEBINDER
00000024.00000003.6287839327.00000197A4D21000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x11dd1:$asp_much_sus8: Webshell 0x3129:$asp_much_sus15: antivirus 0x313f:$asp_much_sus15: antivirus 0x3261:$asp_much_sus15: Antivirus 0x333d:$asp_much_sus15: antivirus 0x3370:$asp_much_sus15: antivirus 0x338e:$asp_much_sus15: antivirus 0x33a6:$asp_much_sus15: antivirus 0x33d1:$asp_much_sus15: antivirus 0x3428:$asp_much_sus15: antivirus 0x343e:$asp_much_sus15: antivirus 0x3769:$asp_much_sus15: antivirus 0x3854:$asp_much_sus15: antivirus 0x386d:$asp_much_sus15: antivirus 0x3886:$asp_much_sus15: antivirus 0x3976:$asp_much_sus15: Antivirus 0x10b9e:$asp_much_sus28: exploit 0xf376:$asp_gen_obf1: "+" 0xf37c:$asp_gen_obf1: "+" 0x10183:$asp_gen_obf1: "+" 0x10a44:$asp_gen_obf1: "+"
00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x319d9:$payload4: eval(gzuncompress(base64_decode 0x16a1a:$php_short: <? 0x16a83:$php_short: <? 0x16aec:$php_short: <? 0x16b55:$php_short: <? 0x16bbe:$php_short: <? 0x1b093:$php_short: <? 0x1fd39:$php_short: <? 0x3fb28:$php_short: <? 0x16a1a:$php_new2: <?php 0x16a83:$php_new2: <?php 0x16aec:$php_new2: <?php 0x16b55:$php_new2: <?php 0x16bbe:$php_new2: <?php
00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x22e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x22ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x235bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x235ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x235fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x23b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x23b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x7bd8:$s1: stratum+tcp://
00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0x2dc2c:$x1: /////////////////////regkeyenum////////////
00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x102e5:$s1: stratum+tcp://
00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp	HackTool_Samples	Hacktool	unknown	0x31ba2:$c: Failed to load SAM functions
00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x1c178:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x3518b:$x1: reflectively inject a dll into a process. 0x35171:$x4: reflective_inject_dll 0x35228:$x4: reflective_inject_dll 0x35171:$x8: reflective_inject_dll 0x35228:$x8: reflective_inject_dll 0x35228:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x217f1:$s1: stratum+tcp://
00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x329d9:$payload4: eval(gzuncompress(base64_decode 0x17a1a:$php_short: <? 0x17a83:$php_short: <? 0x17aec:$php_short: <? 0x17b55:$php_short: <? 0x17bbe:$php_short: <? 0x1c093:$php_short: <? 0x20d39:$php_short: <? 0x40b28:$php_short: <? 0x17a1a:$php_new2: <?php 0x17a83:$php_new2: <?php 0x17aec:$php_new2: <?php 0x17b55:$php_new2: <?php 0x17bbe:$php_new2: <?php
00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x28ead:$x4: reflective_inject_dll 0x28ead:$x8: reflective_inject_dll 0x28ead:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2cbb:$s1: stratum+tcp://
00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000024.00000003.6294115539.00000197A3970000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x3c932:$x1: IEX ((new-object net.webclient).download
00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3a1e:$s1: stratum+tcp://
00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x925f:$s1: stratum+tcp://
00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x3b8ac:$: odhyrfjcnfkdtslt
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0xd67e:$payload7: eval(base64_decode( 0xd669:$php_short: <? 0xe4dd:$php_short: <? 0x26827:$php_short: <? 0xd669:$php_new2: <?php 0xe4dd:$php_new2: <?php
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xd734:$s1: stratum+tcp://
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Flor

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report FACTURA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Threatname: CryLock

Yara Overview

Memory Dumps