00000024.00000003.6293943264.00000197A31B6000.00000004.00000001.sdmp | JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | |
00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp | Tofu_Backdoor | Detects Tofu Trojan | Cylance | - 0x2f5af:$a: Cookies: Sym1.0
- 0x2f550:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
|
00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp | ZxShell_Jul17 | Detects a ZxShell - CN threat group | Florian Roth | - 0xf57f:$x1: zxplug -add
- 0xf58b:$x2: getxxx c:\xyz.dll
|
00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0xd5e:$opbs48: se'.(32*2)
- 0x179f:$php_short: <?
- 0x184cc:$php_short: <?
- 0x179f:$php_new2: <?php
|
00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp | RemCom_RemoteCommandExecution | Detects strings from RemCom tool | Florian Roth | - 0x8238:$: \\.\pipe\%s%s%d
|
00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0x1ce01:$opbs73: eval(str_rot13(
- 0x6525:$php_short: <?
- 0xf324:$php_short: <?
- 0x1f6db:$php_short: <?
- 0x33597:$php_short: <?
- 0x33ae7:$php_short: <?
- 0x37c06:$php_short: <?
- 0x6525:$php_new1: <?=$
|
00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp | WScript_Shell_PowerShell_Combo | Detects malware from Middle Eastern campaign reported by Talos | Florian Roth | - 0x23b4a:$s1: .CreateObject("WScript.Shell")
- 0x20175:$p1: powershell.exe
- 0x20c53:$p1: powershell.exe
- 0x23b7b:$p1: powershell.exe
|
00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp | clearlog | Detects Fireball malware - file clearlog.dll | Florian Roth | - 0x2c897:$s3: hhhhh.exe
- 0x2c881:$s4: ttttt.exe
- 0x2c86b:$s6: cle.log.1
|
00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x2abc1:$s1: stratum+tcp://
- 0x2ac01:$s1: stratum+tcp://
|
00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp | Amplia_Security_Tool | Amplia Security Tool | unknown | - 0xa3d8:$a: Amplia Security
- 0xa4a5:$e: extract the TGT session key
|
00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp | webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp | - 0x47e1:$payload_and_input1: eval(request[
- 0x7d16:$tagasp_short1: <%@
- 0x7d3b:$tagasp_short1: <%v
- 0x2f464:$tagasp_short1: <%\xEF
- 0x7d39:$tagasp_short2: %>
- 0x1a769:$tagasp_short2: %>
- 0x316c3:$tagasp_short2: %>
- 0x34885:$tagasp_short2: %>
- 0x3af14:$tagasp_short2: %>
- 0x7d16:$tagasp_long20: <%@pagelanguage="jscript
|
00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x45ed:$s1: stratum+tcp://
|
00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp | APT_DeputyDog_Fexel | unknown | ThreatConnect Intelligence Research Team | - 0x23a78:$cUp: Upload failed! [Remote error code:
|
00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp | webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp | - 0x164fe:$new_php2: <?php
- 0x16f20:$new_php2: <?php
- 0x16503:$dynamic1: $_system($
- 0x1715:$gen_bit_sus47: Shell
- 0x1a08:$gen_bit_sus47: Shell
- 0x2062:$gen_bit_sus47: Shell
- 0x33f6:$gen_bit_sus47: Shell
- 0x3420:$gen_bit_sus47: Shell
- 0x344a:$gen_bit_sus47: Shell
- 0x347c:$gen_bit_sus47: Shell
- 0x34bc:$gen_bit_sus47: Shell
- 0x3500:$gen_bit_sus47: Shell
- 0x15d9d:$gen_bit_sus47: Shell
- 0x5c83:$gen_bit_sus50: bypass
- 0x148dd:$gen_bit_sus61: /bin/sh
- 0x15d4d:$gen_much_sus8: Webshell
- 0x16289:$gen_much_sus8: webshell
- 0x16bab:$gen_much_sus8: WebShell
- 0x16f0b:$gen_much_sus8: WebShell
- 0x2ef0a:$gen_much_sus8: WebShell
- 0x1dfdb:$gen_much_sus15: Antivirus
|
00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x329d9:$payload4: eval(gzuncompress(base64_decode
- 0x17a1a:$php_short: <?
- 0x17a83:$php_short: <?
- 0x17aec:$php_short: <?
- 0x17b55:$php_short: <?
- 0x17bbe:$php_short: <?
- 0x1c093:$php_short: <?
- 0x20d39:$php_short: <?
- 0x40b28:$php_short: <?
- 0x17a1a:$php_new2: <?php
- 0x17a83:$php_new2: <?php
- 0x17aec:$php_new2: <?php
- 0x17b55:$php_new2: <?php
- 0x17bbe:$php_new2: <?php
|
00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6336234827.00000197A31B6000.00000004.00000001.sdmp | JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | |
00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x33807:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x33817:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
|
00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp | JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | |
00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0x1871e:$x3: lsadump::dcsync
|
00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp | Suspicious_PowerShell_WebDownload_1 | Detects suspicious PowerShell code that downloads from web sites | Florian Roth | - 0x3c3cd:$s2: system.net.webclient).downloadstring('http
|
00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp | Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth | - 0x187e7:$s5: sekurlsa::tspkg
- 0x187a4:$s13: sekurlsa::ekeys
- 0x18761:$s14: sekurlsa::dpapi
|
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x70b2:$payload7: eval(base64_decode(
- 0x70ad:$php_short: <?
- 0x89aa:$php_short: <?
- 0x9a89:$php_short: <?
- 0x14c27:$php_short: <?
- 0x89aa:$php_new1: <?=$
- 0x70ad:$php_new2: <?php
- 0x9a89:$php_new2: <?php
|
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp | webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp | - 0x70ad:$new_php2: <?php
- 0x9a89:$new_php2: <?php
- 0xaffb:$dynamic1: $split[stringlen($
- 0xa01d:$gen_bit_sus11: "cmd.exe
- 0x1df34:$gen_bit_sus11: "cmd.exe
- 0x9811:$gen_bit_sus50: bypass
- 0x7097:$gen_much_sus8: Webshell
- 0x8b88:$gen_much_sus8: Webshell
- 0xaba5:$gen_much_sus8: WebShell
- 0xabf8:$gen_much_sus8: WebShell
- 0x1bc0b:$gen_much_sus8: Webshell
- 0x1bee5:$gen_much_sus8: Webshell
- 0x1dcc2:$gen_much_sus8: webshell
- 0x97fc:$gen_much_sus15: antivirus
- 0x1e505:$gen_much_sus18: "unsafe
- 0x85aa:$gen_much_sus25: Exploit
- 0x8e6d:$gen_much_sus25: Exploit
- 0x9156:$gen_much_sus25: Exploit
- 0x9d04:$gen_much_sus25: Exploit
- 0xa139:$gen_much_sus25: Exploit
- 0xa380:$gen_much_sus25: Exploit
|
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0x9e1a:$opbs73: eval(str_rot13(
- 0x70ad:$php_short: <?
- 0x89aa:$php_short: <?
- 0x9a89:$php_short: <?
- 0x14c27:$php_short: <?
- 0x89aa:$php_new1: <?=$
- 0x70ad:$php_new2: <?php
- 0x9a89:$php_new2: <?php
|
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp | webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp | - 0x1e4ed:$payload_and_input1: eval(request.
- 0x818e:$tagasp_short1: <%@
- 0x1e4d0:$tagasp_short1: <%@
- 0x1e4eb:$tagasp_short1: <%e
- 0x81b6:$tagasp_short2: %>
- 0x126b9:$tagasp_short2: %>
- 0x1e4e9:$tagasp_short2: %>
- 0x1e50f:$tagasp_short2: %>
- 0x1e4eb:$tagasp_long13: <%ev
- 0x1e4d0:$tagasp_long20: <%@pagelanguage="jscript
- 0x1c1f4:$jsp4: public
|
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp | webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp | - 0x7097:$asp_much_sus8: Webshell
- 0x8b88:$asp_much_sus8: Webshell
- 0xaba5:$asp_much_sus8: WebShell
- 0xabf8:$asp_much_sus8: WebShell
- 0x1bc0b:$asp_much_sus8: Webshell
- 0x1bee5:$asp_much_sus8: Webshell
- 0x1dcc2:$asp_much_sus8: webshell
- 0x97fc:$asp_much_sus15: antivirus
- 0x1e505:$asp_much_sus18: "unsafe
- 0xab6f:$asp_much_sus33: hacker
- 0xa01d:$asp_gen_sus11: "cmd.exe
- 0x1df34:$asp_gen_sus11: "cmd.exe
- 0x84e2:$asp_gen_obf1: "+"
- 0x84e9:$asp_gen_obf1: "+"
- 0xa15c:$asp_gen_obf1: "+"
- 0xa160:$asp_gen_obf1: "+"
- 0xa165:$asp_gen_obf1: "+"
- 0xa16a:$asp_gen_obf1: "+"
- 0xa16e:$asp_gen_obf1: "+"
- 0xa172:$asp_gen_obf1: "+"
- 0xa177:$asp_gen_obf1: "+"
|
00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x1e175:$payload2: eval(gzinflate(base64_decode(
- 0x1acb:$php_short: <?
- 0x24e2:$php_short: <?
- 0x24f6:$php_short: <?
- 0x19a9f:$php_short: <?
- 0x1d0ff:$php_short: <?
- 0x3c44d:$php_short: <?
- 0x3c49b:$php_short: <?
- 0x3c44d:$php_new2: <?php
- 0x3c49b:$php_new2: <?php
|
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp | webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp | - 0x3c44d:$new_php2: <?php
- 0x3c49b:$new_php2: <?php
- 0x3c452:$dynamic1: $_system($
- 0x1bda7:$dynamic5: $__()
- 0x3b2fa:$gen_bit_sus11: "cmd.exe
- 0x22898:$gen_bit_sus12: %comspec%
- 0xa23e:$gen_bit_sus46: shell_
- 0xa291:$gen_bit_sus46: shell_
- 0x3dffc:$gen_bit_sus47: Shell
- 0x1c67a:$gen_bit_sus50: bypass
- 0x1c730:$gen_bit_sus50: bypass
- 0x1b2ac:$gen_bit_sus55: e'.'v
- 0x1b2b0:$gen_bit_sus55: v'.'a
- 0x1b2b4:$gen_bit_sus55: a'.'l
- 0x1b2c4:$gen_bit_sus55: z'.'i
- 0x1b2c9:$gen_bit_sus55: n'.'f
- 0x1b2cd:$gen_bit_sus55: f'.'l
- 0x1dd42:$gen_bit_sus56: m"."d
- 0x1dd48:$gen_bit_sus56: e"."x
- 0x1c93b:$gen_bit_sus59: 'cmd'
- 0x30bdb:$gen_bit_sus62: Cyber
|
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0x1b2ac:$opbs18: e'.'v'.'a'.'l
- 0x1acb:$php_short: <?
- 0x24e2:$php_short: <?
- 0x24f6:$php_short: <?
- 0x19a9f:$php_short: <?
- 0x1d0ff:$php_short: <?
- 0x3c44d:$php_short: <?
- 0x3c49b:$php_short: <?
- 0x3c44d:$php_new2: <?php
- 0x3c49b:$php_new2: <?php
|
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x1d692:$s1: stratum+tcp://
|
00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp | RemCom_RemoteCommandExecution | Detects strings from RemCom tool | Florian Roth | - 0x1f536:$: \\.\pipe\%s%s%d
|
00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp | JoeSecurity_RemComRemoteAdmin | Yara detected RemCom RemoteAdmin tool | Joe Security | |
00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x329d9:$payload4: eval(gzuncompress(base64_decode
- 0x17a1a:$php_short: <?
- 0x17a83:$php_short: <?
- 0x17aec:$php_short: <?
- 0x17b55:$php_short: <?
- 0x17bbe:$php_short: <?
- 0x1c093:$php_short: <?
- 0x20d39:$php_short: <?
- 0x40b28:$php_short: <?
- 0x17a1a:$php_new2: <?php
- 0x17a83:$php_new2: <?php
- 0x17aec:$php_new2: <?php
- 0x17b55:$php_new2: <?php
- 0x17bbe:$php_new2: <?php
|
00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0x1ce01:$opbs73: eval(str_rot13(
- 0x6525:$php_short: <?
- 0xf324:$php_short: <?
- 0x1f6db:$php_short: <?
- 0x33597:$php_short: <?
- 0x33ae7:$php_short: <?
- 0x37c06:$php_short: <?
- 0x6525:$php_new1: <?=$
|
00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x82eb:$s1: stratum+tcp://
- 0x2752e:$s1: stratum+tcp://
|
00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp | JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | |
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0x1ad5b:$x3: lsadump::dcsync
|
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp | Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth | - 0x1acec:$s1: sekurlsa::msv
- 0x1acd6:$s2: sekurlsa::wdigest
- 0x1acab:$s4: sekurlsa::kerberos
- 0x1ac52:$s5: sekurlsa::tspkg
- 0x1ac3c:$s6: sekurlsa::livessp
- 0x1ac2a:$s7: sekurlsa::ssp
- 0x1ac14:$s9: sekurlsa::process
- 0x1ac7c:$s11: sekurlsa::pth
- 0x1ac66:$s12: sekurlsa::tickets
- 0x1acc2:$s13: sekurlsa::ekeys
- 0x1abcf:$s14: sekurlsa::dpapi
- 0x1abb9:$s15: sekurlsa::credman
|
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x55af:$s1: stratum+tcp://
|
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x329d9:$payload4: eval(gzuncompress(base64_decode
- 0x17a1a:$php_short: <?
- 0x17a83:$php_short: <?
- 0x17aec:$php_short: <?
- 0x17b55:$php_short: <?
- 0x17bbe:$php_short: <?
- 0x1c093:$php_short: <?
- 0x20d39:$php_short: <?
- 0x40b28:$php_short: <?
- 0x17a1a:$php_new2: <?php
- 0x17a83:$php_new2: <?php
- 0x17aec:$php_new2: <?php
- 0x17b55:$php_new2: <?php
- 0x17bbe:$php_new2: <?php
|
00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6349431685.00000197A36F1000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x329d9:$payload4: eval(gzuncompress(base64_decode
- 0x17a1a:$php_short: <?
- 0x17a83:$php_short: <?
- 0x17aec:$php_short: <?
- 0x17b55:$php_short: <?
- 0x17bbe:$php_short: <?
- 0x1c093:$php_short: <?
- 0x20d39:$php_short: <?
- 0x40b28:$php_short: <?
- 0x17a1a:$php_new2: <?php
- 0x17a83:$php_new2: <?php
- 0x17aec:$php_new2: <?php
- 0x17b55:$php_new2: <?php
- 0x17bbe:$php_new2: <?php
|
00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x27498:$s1: stratum+tcp://
- 0x280b4:$s1: stratum+tcp://
|
00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp | JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | |
00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x3211c:$s1: stratum+tcp://
|
00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp | JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | |
00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp | APT9002Strings | 9002 Identifying Strings | Seth Hardy | - 0x4e86:$: %%TEMP%%\%s_p.ax
|
00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0xa6f2:$sa2: -EncodedCommand
- 0xa6e3:$sb2: -window hidden
- 0x19bb5:$sc1: -nop
- 0x19bc6:$sd1: -noni
|
00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp | APT_DeputyDog_Fexel | unknown | ThreatConnect Intelligence Research Team | - 0x9789:$cUp: Upload failed! [Remote error code:
- 0x9869:$GDGSYDLYR: GDGSYDLYR_%
|
00000024.00000003.6340510692.00000197A4B3C000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0x1ce01:$opbs73: eval(str_rot13(
- 0x6525:$php_short: <?
- 0xf324:$php_short: <?
- 0x1f6db:$php_short: <?
- 0x33597:$php_short: <?
- 0x33ae7:$php_short: <?
- 0x37c06:$php_short: <?
- 0x6525:$php_new1: <?=$
|
00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x3111c:$s1: stratum+tcp://
|
00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x82eb:$s1: stratum+tcp://
- 0x2752e:$s1: stratum+tcp://
|
00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp | JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | |
00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x29107:$s1: stratum+tcp://
- 0x2dc08:$s1: stratum+tcp://
|
00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp | JoeSecurity_Buran | Yara detected Buran Ransomware | Joe Security | |
00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp | JoeSecurity_Gocoder_3 | Yara detected Gocoder ransomware | Joe Security | |
00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp | Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth | - 0x1c1e0:$s2: sekurlsa::wdigest
- 0x1c111:$s6: sekurlsa::livessp
- 0x1c156:$s9: sekurlsa::process
- 0x1c19b:$s12: sekurlsa::tickets
- 0x1c0cc:$s15: sekurlsa::credman
|
00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth | - 0x1ad4b:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1af5b:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
- 0x1ad4b:$c1: Elevation:Administrator!new:
- 0x1af5b:$c1: Elevation:Administrator!new:
- 0x1acf2:$c6: ConsentPromptBehaviorAdmin
- 0x1af02:$c6: ConsentPromptBehaviorAdmin
|
00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp | Certutil_Decode_OR_Download | Certutil Decode | Florian Roth | - 0x2541b:$a1: certutil -decode
|
00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp | CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye | - 0x1d676:$pdb1: \ADPassHunt\
- 0x1d687:$pdb2: \ADPassHunt.pdb
- 0x1d69b:$s1: Usage: .\ADPassHunt.exe
- 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute
- 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute
- 0x1d734:$s4: [GPP] Searching for passwords now
|
00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp | JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | |
00000024.00000003.6332385174.00000197A4180000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0xd5e:$opbs48: se'.(32*2)
- 0x179f:$php_short: <?
- 0x184cc:$php_short: <?
- 0x179f:$php_new2: <?php
|
00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp | webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp | - 0x23c95:$new_php2: <?php
- 0x77af:$dynamic3: $U\xBF('
- 0x2243e:$gen_bit_sus11: "cmd.exe
- 0x23085:$gen_bit_sus11: "cmd.exe
- 0x242d8:$gen_bit_sus12: %comspec%
- 0x23ca0:$gen_bit_sus46: shell_
- 0x2a319:$gen_bit_sus47: Shell
- 0x2baa9:$gen_bit_sus47: Shell
- 0x5eab:$gen_bit_sus62: Cyber
- 0x5ed6:$gen_bit_sus62: Cyber
- 0x23c7b:$gen_much_sus8: WebShell
- 0x26a18:$gen_much_sus15: AntiVirus
- 0x2713c:$gen_much_sus15: AntiVirus
- 0x27f65:$gen_much_sus15: antivirus
- 0x28042:$gen_much_sus15: antivirus
- 0x28056:$gen_much_sus15: antivirus
- 0x2d83f:$gen_much_sus15: Antivirus
- 0x23c57:$gen_much_sus18: "unsafe
- 0x24600:$gen_much_sus24: exploit
- 0x227f0:$gen_much_sus25: Exploit
- 0x22ab1:$gen_much_sus25: Exploit
|
00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp | webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp | - 0x23c3e:$payload_and_input1: eval(request.
- 0x23c3c:$tagasp_short1: <%e
- 0x23c61:$tagasp_short2: %>
- 0x23c3c:$tagasp_long13: <%ev
- 0x2a243:$jsp4: public
- 0x2a2a1:$jsp4: public
|
00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp | Base64_PS1_Shellcode | Detects Base64 encoded PS1 Shellcode | Nick Carr, David Ledbetter | - 0xe4ef:$substring: AAAAYInlM
- 0xe4eb:$pattern1: /OiCAAAAYInlM
|
00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp | WScript_Shell_PowerShell_Combo | Detects malware from Middle Eastern campaign reported by Talos | Florian Roth | - 0x9164:$s1: .CreateObject("WScript.Shell")
- 0x2fbee:$s1: .CreateObject("WScript.Shell")
- 0x2c17d:$p1: powershell.exe
- 0x2c1d3:$p1: powershell.exe
- 0x39fb8:$p1: powershell.exe
- 0x2c1a0:$p2: -ExecutionPolicy Bypass
- 0x2c1f6:$p2: -ExecutionPolicy Bypass
- 0xe4c7:$p3: [System.Convert]::FromBase64String(
|
00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp | JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | |
00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp | Msfpayloads_msf_psh | Metasploit Payloads - file msf-psh.vba | Florian Roth | - 0x175a4:$s1: powershell.exe -nop -w hidden -e
- 0x1640a:$s2: Call Shell(
- 0x17794:$s3: Sub Workbook_Open()
|
00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp | TA17_293A_malware_1 | inveigh pen testing tools & related artifacts | US-CERT Code Analysis Team (modified by Florian Roth) | - 0x3aa7:$n1: file://
- 0x255cd:$n1: file://
- 0x3f3f:$ax2: 5.153.58.45
|
00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x15c42:$s1: stratum+tcp://
|
00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x1963d:$s1: stratum+tcp://
|
00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6272159714.00000197A331E000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6356649431.00000197A36F1000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x138b6:$s1: stratum+tcp://
|
00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x82eb:$s1: stratum+tcp://
- 0x2752e:$s1: stratum+tcp://
|
00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp | JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | |
00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp | JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | |
00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp | Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth | - 0x1046d:$s4: sekurlsa::kerberos
|
00000024.00000003.6300924417.00000197A4314000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x82eb:$s1: stratum+tcp://
- 0x2752e:$s1: stratum+tcp://
|
00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp | JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | |
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp | REDLEAVES_DroppedFile_ImplantLoader_Starburn | Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT | USG | - 0x243e6:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
|
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp | IMPLANT_5_v3 | XTunnel Implant by APT28 | US CERT | - 0x35bcc:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
- 0x35bee:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
|
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0xc8fc:$s1: stratum+tcp://
|
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp | JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | |
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp | JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | |
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp | JoeSecurity_NoCry | Yara detected NoCry Ransomware | Joe Security | |
00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp | malware_red_leaves_memory | Red Leaves C&C left in memory, use with Volatility / Rekall | David Cannings | - 0x28019:$: OnlineTime=
- 0x28057:$: clientpath=
- 0x28066:$: serverpath=
|
00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0x1ce01:$opbs73: eval(str_rot13(
- 0x6525:$php_short: <?
- 0xf324:$php_short: <?
- 0x1f6db:$php_short: <?
- 0x33597:$php_short: <?
- 0x33ae7:$php_short: <?
- 0x37c06:$php_short: <?
- 0x6525:$php_new1: <?=$
|
00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6354837161.00000197A4180000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0xd5e:$opbs48: se'.(32*2)
- 0x179f:$php_short: <?
- 0x184cc:$php_short: <?
- 0x179f:$php_new2: <?php
|
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp | Cobaltbaltstrike_Payload_Encoded | Detects CobaltStrike payloads | Avast Threat Intel Team | - 0x1c1ea:$s05: fce8890000006089e531d2648b52308b
|
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp | webshell_php_obfuscated_encoding | PHP webshell obfuscated by encoding | Arnim Rupp | - 0xdd78:$enc_eval1: \x65\x76\x61\x6c\x28
- 0xdd78:$enc_eval2: \x65\x76\x61\x6c\x28
- 0x5676:$php_short: <?
- 0xc9ee:$php_short: <?
- 0xca79:$php_short: <?
- 0xcb04:$php_short: <?
- 0xfede:$php_short: <?
- 0x10d31:$php_short: <?
- 0x342da:$php_short: <?
- 0x3530f:$php_short: <?
- 0x36ab7:$php_short: <?
- 0x3a253:$php_short: <?
- 0x36ab7:$php_new2: <?php
|
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp | webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp | - 0x36ab7:$new_php2: <?php
- 0x363c2:$dynamic3: $_server[base64_decode('
- 0xce4c:$gen_bit_sus11: "cmd.exe
- 0xced8:$gen_bit_sus11: "cmd.exe
- 0xcfef:$gen_bit_sus11: "cmd.exe
- 0xfdcb:$gen_bit_sus11: "cmd.exe
- 0x1ed35:$gen_bit_sus47: Shell
- 0x2e9d3:$gen_bit_sus47: Shell
- 0x212fd:$gen_bit_sus50: bypass
- 0x3621e:$gen_bit_sus50: bypass
- 0x36458:$gen_bit_sus59: 'cmd'
- 0x1dae3:$gen_bit_sus60: "execute"
- 0x1db1a:$gen_bit_sus60: "execute"
- 0x1c0ec:$gen_bit_sus62: Cyber
- 0x1c18c:$gen_bit_sus62: Cyber
- 0x34c4a:$gen_bit_sus69: $cmd
- 0xe1be:$gen_much_sus8: Webshell
- 0x25860:$gen_much_sus8: Webshell
- 0x35289:$gen_much_sus8: WebShell
- 0x35525:$gen_much_sus8: Webshell
- 0x36409:$gen_much_sus8: Webshell
|
00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0xdd78:$opbs77: \x65\x76\x61\x6c\x28
- 0x5676:$php_short: <?
- 0xc9ee:$php_short: <?
- 0xca79:$php_short: <?
- 0xcb04:$php_short: <?
- 0xfede:$php_short: <?
- 0x10d31:$php_short: <?
- 0x342da:$php_short: <?
- 0x3530f:$php_short: <?
- 0x36ab7:$php_short: <?
- 0x3a253:$php_short: <?
- 0x36ab7:$php_new2: <?php
|
00000024.00000003.6341599132.00000197A3621000.00000004.00000001.sdmp | Tofu_Backdoor | Detects Tofu Trojan | Cylance | - 0x2f5af:$a: Cookies: Sym1.0
- 0x2f550:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
|
00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x138b6:$s1: stratum+tcp://
|
00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp | xtremrat | Xtrem RAT v3.5 | Jean-Philippe Teissier / @Jipe_ | - 0x2ff92:$a: XTREME
- 0x2ffa4:$a: XTREME
- 0x2ffa4:$b: XTREMEBINDER
|
00000024.00000003.6350988033.00000197A3FA2000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x2be:$s1: stratum+tcp://
|
00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x429d9:$payload4: eval(gzuncompress(base64_decode
- 0x27a1a:$php_short: <?
- 0x27a83:$php_short: <?
- 0x27aec:$php_short: <?
- 0x27b55:$php_short: <?
- 0x27bbe:$php_short: <?
- 0x2c093:$php_short: <?
- 0x30d39:$php_short: <?
- 0x50b28:$php_short: <?
- 0x27a1a:$php_new2: <?php
- 0x27a83:$php_new2: <?php
- 0x27aec:$php_new2: <?php
- 0x27b55:$php_new2: <?php
- 0x27bbe:$php_new2: <?php
|
00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp | Oilrig_IntelSecurityManager_macro | Detects OilRig malware | Eyal Sela (slightly modified by Florian Roth) | - 0x11b39:$one6: Shell Environ$("COMSPEC") & " /c
|
00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x2abc1:$s1: stratum+tcp://
- 0x2ac01:$s1: stratum+tcp://
|
00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6314037891.00000197A4314000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp | SUSP_XORed_Mozilla | Detects suspicious XORed keyword - Mozilla/5.0 | Florian Roth | - 0x27f53:$xo1: Ik~mhhe+1*4
|
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp | JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | |
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp | JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | |
00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp | SUSP_XORed_Mozilla | Detects suspicious XORed keyword - Mozilla/5.0 | Florian Roth | |
00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp | CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye | - 0x1d676:$pdb1: \ADPassHunt\
- 0x1d687:$pdb2: \ADPassHunt.pdb
- 0x1d69b:$s1: Usage: .\ADPassHunt.exe
- 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute
- 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute
- 0x1d734:$s4: [GPP] Searching for passwords now
|
00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp | JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | |
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp | APT_MAL_Sandworm_Exaramel_Configuration_Key | Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... | FR/ANSSI/SDO | - 0x3b8ac:$: odhyrfjcnfkdtslt
|
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0xd67e:$payload7: eval(base64_decode(
- 0xd669:$php_short: <?
- 0xe4dd:$php_short: <?
- 0x26827:$php_short: <?
- 0xd669:$php_new2: <?php
- 0xe4dd:$php_new2: <?php
|
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0xd734:$s1: stratum+tcp://
|
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x333a3:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67
- 0x33bae:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67
- 0x33bbe:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
|
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp | WScriptShell_Case_Anomaly | Detects obfuscated wscript.shell commands | Florian Roth | - 0x12e1d:$s1: WScript.Shell").run
|
00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp | JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | |
00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp | JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | |
00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x1f5a7:$s1: stratum+tcp://
- 0x21897:$s1: stratum+tcp://
|
00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp | PUA_CryptoMiner_Jan19_1 | Detects Crypto Miner strings | Florian Roth | - 0x21ed4:$s1: Stratum notify: invalid Merkle branch
|
00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp | JoeSecurity_gogoogle | Yara detected GoGoogle ransomware | Joe Security | |
00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
00000024.00000003.6339772836.00000197A3E9A000.00000004.00000001.sdmp | JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | |
00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0xc77e:$s1: stratum+tcp://
|
00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp | Certutil_Decode_OR_Download | Certutil Decode | Florian Roth | - 0xf0c5:$a5: certutil -urlcache -split -f http
|
00000024.00000003.6330651040.00000197A36F1000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x34aac:$s1: stratum+tcp://
|
00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp | webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp | - 0x2f349:$payload_and_input1: eval(request.
- 0x2f329:$tagasp_short1: <%@
- 0x2f347:$tagasp_short1: <%e
- 0x35e79:$tagasp_short1: <%\xC4
- 0x3eae6:$tagasp_short1: <%\x1D
- 0x1c67:$tagasp_short2: %>
- 0x109f7:$tagasp_short2: %>
- 0x11547:$tagasp_short2: %>
- 0x123a7:$tagasp_short2: %>
- 0x3a8b6:$tagasp_short2: %>
- 0x2f347:$tagasp_long13: <%ev
|
00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp | Oilrig_IntelSecurityManager_macro | Detects OilRig malware | Eyal Sela (slightly modified by Florian Roth) | - 0x11b39:$one6: Shell Environ$("COMSPEC") & " /c
|
00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp | SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth | |
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp | SUSP_PowerShell_IEX_Download_Combo | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth | - 0x170eb:$x1: iex ((new-object net.webclient).Download
|
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0x1a391:$sb1: -w Hidden
- 0x1a13d:$sb3: -windowstyle hidden
- 0x1a132:$sc2: -noprofile
- 0x1a11a:$se3: -ExecutionPolicy bypass
|
00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp | RemCom_RemoteCommandExecution | Detects strings from RemCom tool | Florian Roth | - 0x1f536:$: \\.\pipe\%s%s%d
|
00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp | JoeSecurity_RemComRemoteAdmin | Yara detected RemCom RemoteAdmin tool | Joe Security | |
00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp | APT_Backdoor_Win_GoRat_Memory | Identifies GoRat malware in memory based on strings. | FireEye | - 0x2ec46:$rat1: rat/modules/socks.(*HTTPProxyClient).beacon
- 0x2eb23:$rat2: rat.(*Core).generateBeacon
- 0x2eb40:$rat3: rat.gJitter
- 0x2eb4e:$rat4: rat/comms.(*protectedChannel).SendCmdResponse
- 0x2ebb4:$rat6: rat/modules/latlisten.(*latlistensrv).handleCmd
- 0x2ec1c:$rat8: rat/modules/netsweeper.(*Pinger).listen
- 0x2ec46:$rat9: rat/modules/socks.(*HTTPProxyClient).beacon
- 0x2ec74:$rat10: rat/platforms/win/dyloader.(*memoryLoader).ExecutePluginFunction
- 0x2eafa:$winblows: rat/platforms/win.(*winblows).GetStage
|
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp | REDLEAVES_CoreImplant_UniqueStrings | Strings identifying the core REDLEAVES RAT in its deobfuscated state | USG | - 0xf21:$unique4: red_autumnal_leaves_dllmain.dll
- 0xd6d:$unique7: \NamePipe_MoreWindows
|
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp | Certutil_Decode_OR_Download | Certutil Decode | Florian Roth | - 0x8a8:$a1: certutil -decode
|
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp | CobaltStrike_MZ_Launcher | Detects CobaltStrike MZ header ReflectiveLoader launcher | yara@s3c.za.net | - 0x21279:$mz_launcher: 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D
|
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x35f9:$s1: stratum+tcp://
|
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp | WScriptShell_Case_Anomaly | Detects obfuscated wscript.shell commands | Florian Roth | - 0x3a3f:$s1: WScript.Shell").run
|
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp | JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | |
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp | Ham_backdoor | unknown | Cylance Spear Team | - 0x658:$a: 8D 14 3E 8B 7D FC 8A 0C 11 32 0C 38 40 8B 7D 10 88 0A 8B 4D 08 3B C3
|
00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp | malware_red_leaves_generic | Red Leaves malware, related to APT10 | David Cannings | - 0xdd7:$: I can not start %s
- 0xe5f:$: dwConnectPort
- 0xe71:$: dwRemoteLanPort
- 0xe85:$: strRemoteLanAddress
- 0xe9d:$: strLocalConnectIp
- 0xd5d:$: \\.\pipe\NamePipe_MoreWindows
- 0xd9d:$: RedLeavesCMDSimulatorMutex
- 0xca0:$: (NT %d.%d Build %d)
- 0xf21:$: red_autumnal_leaves_dllmain.dll
- 0xbce:$: __data
- 0xbe2:$: __serial
- 0xbf8:$: __upt
|
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp | webshell_php_base64_encoded_payloads | php webshell containing base64 encoded payload | Arnim Rupp | - 0x14efc:$decode1: base64_decode
- 0x156c3:$decode1: base64_decode
- 0x157cc:$decode1: base64_decode
- 0x15819:$decode1: base64_decode
- 0x15837:$decode1: base64_decode
- 0xd158:$four1: zeXN0ZW
- 0x15e97:$php_short: <?
- 0x15e97:$php_new2: <?php
|
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x156be:$payload7: eval(base64_decode(
- 0x15814:$payload7: eval(base64_decode(
- 0x15e97:$php_short: <?
- 0x15e97:$php_new2: <?php
|
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp | webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp | - 0x15e97:$new_php2: <?php
- 0x14a98:$dynamic1: $_session[md5($
- 0x14b02:$dynamic1: $_session[md5($
- 0x19870:$gen_bit_sus2: .replace(/y/g
- 0x2fd92:$gen_bit_sus11: "cmd.exe
- 0x38872:$gen_bit_sus29: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
- 0x14d6b:$gen_bit_sus35: crack
- 0x1566f:$gen_bit_sus46: shell_
- 0x15e3e:$gen_bit_sus46: shell_
- 0x13bb4:$gen_bit_sus47: Shell
- 0x15501:$gen_bit_sus47: Shell
- 0x17e5e:$gen_bit_sus47: Shell
- 0x2c4b7:$gen_bit_sus47: Shell
- 0x150e7:$gen_bit_sus50: bypass
- 0x1a240:$gen_bit_sus50: bypass
- 0x32316:$gen_bit_sus50: bypass
- 0x15f43:$gen_bit_sus60: "execute"
- 0x15df4:$gen_bit_sus69: $cmd
- 0x13cbf:$gen_much_sus8: Webshell
- 0x33510:$gen_much_sus15: antivirus
- 0x2c432:$gen_much_sus16: mcafee
|
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp | webshell_php_by_string_known_webshell | Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions. | Arnim Rupp | - 0x1602c:$pbs3: "b374k
- 0x14a1f:$pbs6: 0de664ecd2be02cdd54234a0d1229b43
- 0x15e97:$php_short: <?
- 0x15e97:$php_new2: <?php
|
00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp | JoeSecurity_hidden_tear | Yara detected HiddenTear ransomware | Joe Security | |
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp | Cobaltbaltstrike_Payload_Encoded | Detects CobaltStrike payloads | Avast Threat Intel Team | - 0x1c1ea:$s05: fce8890000006089e531d2648b52308b
|
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp | webshell_php_obfuscated_encoding | PHP webshell obfuscated by encoding | Arnim Rupp | - 0xdd78:$enc_eval1: \x65\x76\x61\x6c\x28
- 0xdd78:$enc_eval2: \x65\x76\x61\x6c\x28
- 0x5676:$php_short: <?
- 0xc9ee:$php_short: <?
- 0xca79:$php_short: <?
- 0xcb04:$php_short: <?
- 0xfede:$php_short: <?
- 0x10d31:$php_short: <?
- 0x342da:$php_short: <?
- 0x3530f:$php_short: <?
- 0x36ab7:$php_short: <?
- 0x3a253:$php_short: <?
- 0x36ab7:$php_new2: <?php
|
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp | webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp | - 0x36ab7:$new_php2: <?php
- 0x363c2:$dynamic3: $_server[base64_decode('
- 0xce4c:$gen_bit_sus11: "cmd.exe
- 0xced8:$gen_bit_sus11: "cmd.exe
- 0xcfef:$gen_bit_sus11: "cmd.exe
- 0xfdcb:$gen_bit_sus11: "cmd.exe
- 0x1ed35:$gen_bit_sus47: Shell
- 0x2e9d3:$gen_bit_sus47: Shell
- 0x212fd:$gen_bit_sus50: bypass
- 0x3621e:$gen_bit_sus50: bypass
- 0x36458:$gen_bit_sus59: 'cmd'
- 0x1dae3:$gen_bit_sus60: "execute"
- 0x1db1a:$gen_bit_sus60: "execute"
- 0x1c0ec:$gen_bit_sus62: Cyber
- 0x1c18c:$gen_bit_sus62: Cyber
- 0x34c4a:$gen_bit_sus69: $cmd
- 0xe1be:$gen_much_sus8: Webshell
- 0x25860:$gen_much_sus8: Webshell
- 0x35289:$gen_much_sus8: WebShell
- 0x35525:$gen_much_sus8: Webshell
- 0x36409:$gen_much_sus8: Webshell
|
00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0xdd78:$opbs77: \x65\x76\x61\x6c\x28
- 0x5676:$php_short: <?
- 0xc9ee:$php_short: <?
- 0xca79:$php_short: <?
- 0xcb04:$php_short: <?
- 0xfede:$php_short: <?
- 0x10d31:$php_short: <?
- 0x342da:$php_short: <?
- 0x3530f:$php_short: <?
- 0x36ab7:$php_short: <?
- 0x3a253:$php_short: <?
- 0x36ab7:$php_new2: <?php
|
00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x3b7f3:$s1: stratum+tcp://
|
00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp | WScript_Shell_PowerShell_Combo | Detects malware from Middle Eastern campaign reported by Talos | Florian Roth | - 0x2343d:$s1: .CreateObject("WScript.Shell")
- 0x2d6ef:$s1: .CreateObject("WScript.Shell")
- 0x5ccd:$p1: powershell.exe
- 0x3afdf:$p1: powershell.exe
|
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp | HackTool_Samples | Hacktool | unknown | - 0x2a9e:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
|
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x12960:$s1: stratum+tcp://
- 0x1298b:$s1: stratum+tcp://
- 0x13d17:$s1: stratum+tcp://
|
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp | JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | |
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp | JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | |
00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp | MirageStrings | Mirage Identifying Strings | Seth Hardy | - 0x378b:$: Neo,welcome to the desert of real.
|
00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp | Trojan_Win32_PlaKeylog_B | Keylogger component | Microsoft | - 0x2a2dd:$hook: C6 06 FF 46 C6 06 25
- 0x2a2e8:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
|
00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp | DeepPanda_htran_exe | Hack Deep Panda - htran-exe | Florian Roth | - 0x38778:$s15: [+] OK! I Closed The Two Socket.
|
00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x27498:$s1: stratum+tcp://
- 0x280b4:$s1: stratum+tcp://
|
00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp | JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | |
00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp | CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye | - 0x1d676:$pdb1: \ADPassHunt\
- 0x1d687:$pdb2: \ADPassHunt.pdb
- 0x1d69b:$s1: Usage: .\ADPassHunt.exe
- 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute
- 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute
- 0x1d734:$s4: [GPP] Searching for passwords now
|
00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp | JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | |
00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x3b7f3:$s1: stratum+tcp://
|
00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6310770552.00000197A4B3C000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp | HackTool_MSIL_SharPersist_2 | unknown | FireEye | - 0xf2aa:$a1: SharPersist.lib
- 0xf2be:$a2: SharPersist.exe
- 0xf2d2:$b1: ERROR: Invalid hotkey location option given.
- 0xf303:$b2: ERROR: Invalid hotkey given.
- 0xf324:$b3: ERROR: Keepass configuration file not found.
- 0xf355:$b4: ERROR: Keepass configuration file was not found.
- 0xf38a:$b5: ERROR: That value already exists in:
- 0xf3b3:$b6: ERROR: Failed to delete hidden registry key.
- 0xf3e4:$pdb1: \SharPersist\
- 0xf3f6:$pdb2: \SharPersist.pdb
|
00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0xb684:$sb1: -W hidden
- 0xb67f:$sc1: -nop
- 0xb68e:$sd2: -noninteractive
- 0xb672:$se2: -exec bypass
- 0xb672:$se4: -exec bypass
|
00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp | JoeSecurity_Growtopia | Yara detected Growtopia | Joe Security | |
00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp | JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | |
00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0xdc54:$s1: stratum+tcp://
- 0xddca:$s1: stratum+tcp://
|
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp | WScriptShell_Case_Anomaly | Detects obfuscated wscript.shell commands | Florian Roth | - 0xa67:$s1: wscript.shell").Run
- 0x133f:$s1: wscript.shell").Run
|
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp | JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | |
00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp | Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth | - 0x39288:$s1: sekurlsa::msv
- 0x3930a:$s7: sekurlsa::ssp
- 0x392c9:$s11: sekurlsa::pth
|
00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x329d9:$payload4: eval(gzuncompress(base64_decode
- 0x17a1a:$php_short: <?
- 0x17a83:$php_short: <?
- 0x17aec:$php_short: <?
- 0x17b55:$php_short: <?
- 0x17bbe:$php_short: <?
- 0x1c093:$php_short: <?
- 0x20d39:$php_short: <?
- 0x40b28:$php_short: <?
- 0x17a1a:$php_new2: <?php
- 0x17a83:$php_new2: <?php
- 0x17aec:$php_new2: <?php
- 0x17b55:$php_new2: <?php
- 0x17bbe:$php_new2: <?php
|
00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x429d9:$payload4: eval(gzuncompress(base64_decode
- 0x27a1a:$php_short: <?
- 0x27a83:$php_short: <?
- 0x27aec:$php_short: <?
- 0x27b55:$php_short: <?
- 0x27bbe:$php_short: <?
- 0x2c093:$php_short: <?
- 0x30d39:$php_short: <?
- 0x50b28:$php_short: <?
- 0x27a1a:$php_new2: <?php
- 0x27a83:$php_new2: <?php
- 0x27aec:$php_new2: <?php
- 0x27b55:$php_new2: <?php
- 0x27bbe:$php_new2: <?php
|
00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp | Oilrig_IntelSecurityManager_macro | Detects OilRig malware | Eyal Sela (slightly modified by Florian Roth) | - 0x11b39:$one6: Shell Environ$("COMSPEC") & " /c
|
00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
00000024.00000003.6356061064.00000197A47A0000.00000004.00000001.sdmp | APT_Backdoor_Win_GoRat_Memory | Identifies GoRat malware in memory based on strings. | FireEye | - 0x2ec46:$rat1: rat/modules/socks.(*HTTPProxyClient).beacon
- 0x2eb23:$rat2: rat.(*Core).generateBeacon
- 0x2eb40:$rat3: rat.gJitter
- 0x2eb4e:$rat4: rat/comms.(*protectedChannel).SendCmdResponse
- 0x2ebb4:$rat6: rat/modules/latlisten.(*latlistensrv).handleCmd
- 0x2ec1c:$rat8: rat/modules/netsweeper.(*Pinger).listen
- 0x2ec46:$rat9: rat/modules/socks.(*HTTPProxyClient).beacon
- 0x2ec74:$rat10: rat/platforms/win/dyloader.(*memoryLoader).ExecutePluginFunction
- 0x2eafa:$winblows: rat/platforms/win.(*winblows).GetStage
|
00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp | JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | |
00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp | JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | |
00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp | JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | |
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp | webshell_php_generic | php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings | Arnim Rupp | - 0x26f36:$php_short: <?
- 0x26f75:$php_short: <?
- 0x26fb5:$php_short: <?
- 0x26ff8:$php_short: <?
- 0x27042:$php_short: <?
- 0x2735f:$php_short: <?
- 0x2744d:$php_short: <?
- 0x2753a:$php_short: <?
- 0x27593:$php_short: <?
- 0x27711:$php_short: <?
- 0x26f36:$php_new2: <?php
- 0x26f75:$php_new2: <?php
- 0x26fb5:$php_new2: <?php
- 0x26ff8:$php_new2: <?php
- 0x27042:$php_new2: <?php
- 0x2735f:$php_new2: <?php
- 0x2753a:$php_new2: <?php
- 0x27593:$php_new2: <?php
- 0x27711:$php_new2: <?php
- 0x27ace:$inp4: _POST[
- 0x26f59:$cpayload1: eval($
|
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp | webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp | - 0x2791b:$payload_and_input1: eval(request.
- 0x26ed0:$tagasp_short1: <%e
- 0x26ee6:$tagasp_short1: <%\x90
- 0x274b3:$tagasp_short1: <%e
- 0x275ee:$tagasp_short1: <%e
- 0x278fc:$tagasp_short1: <%@
- 0x27919:$tagasp_short1: <%e
- 0x63ea:$tagasp_short2: %>
- 0x1ca46:$tagasp_short2: %>
- 0x26ea5:$tagasp_short2: %>
- 0x26ece:$tagasp_short2: %>
- 0x26ee0:$tagasp_short2: %>
- 0x27602:$tagasp_short2: %>
- 0x27917:$tagasp_short2: %>
- 0x26ed0:$tagasp_long13: <%ev
- 0x274b3:$tagasp_long13: <%ev
- 0x275ee:$tagasp_long13: <%ev
- 0x27919:$tagasp_long13: <%ev
|
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0xd4b7:$sb3: -WindowStyle Hidden
- 0x2ee14:$sb3: -Windowstyle hidden
- 0x2ee07:$se2: -exec bypass
- 0xd4cb:$se3: -ExecutionPolicy Bypass
- 0x2ee07:$se4: -exec bypass
|
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp | Oilrig_IntelSecurityManager_macro | Detects OilRig malware | Eyal Sela (slightly modified by Florian Roth) | - 0x2e61b:$one6: Shell Environ$("COMSPEC") & " /c
- 0x2e6e2:$one6: Shell Environ$("COMSPEC") & " /c
- 0x2ec65:$one6: Shell Environ$("COMSPEC") & " /c
- 0x2ec86:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34)
- 0x2ec18:$two5: NullRefrencedException
- 0x2ec30:$two6: error has occurred in user32.dll by
- 0x2ec18:$two7: NullRefrencedException
|
00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp | JoeSecurity_Cobra_Locker | Yara detected Cobra Locker ransomware | Joe Security | |
00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x329d9:$payload4: eval(gzuncompress(base64_decode
- 0x17a1a:$php_short: <?
- 0x17a83:$php_short: <?
- 0x17aec:$php_short: <?
- 0x17b55:$php_short: <?
- 0x17bbe:$php_short: <?
- 0x1c093:$php_short: <?
- 0x20d39:$php_short: <?
- 0x40b28:$php_short: <?
- 0x17a1a:$php_new2: <?php
- 0x17a83:$php_new2: <?php
- 0x17aec:$php_new2: <?php
- 0x17b55:$php_new2: <?php
- 0x17bbe:$php_new2: <?php
|
00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp | webshell_php_generic | php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings | Arnim Rupp | - 0x26f36:$php_short: <?
- 0x26f75:$php_short: <?
- 0x26fb5:$php_short: <?
- 0x26ff8:$php_short: <?
- 0x27042:$php_short: <?
- 0x2735f:$php_short: <?
- 0x2744d:$php_short: <?
- 0x2753a:$php_short: <?
- 0x27593:$php_short: <?
- 0x27711:$php_short: <?
- 0x26f36:$php_new2: <?php
- 0x26f75:$php_new2: <?php
- 0x26fb5:$php_new2: <?php
- 0x26ff8:$php_new2: <?php
- 0x27042:$php_new2: <?php
- 0x2735f:$php_new2: <?php
- 0x2753a:$php_new2: <?php
- 0x27593:$php_new2: <?php
- 0x27711:$php_new2: <?php
- 0x27ace:$inp4: _POST[
- 0x26f59:$cpayload1: eval($
|
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp | webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp | - 0x2791b:$payload_and_input1: eval(request.
- 0x26ed0:$tagasp_short1: <%e
- 0x26ee6:$tagasp_short1: <%\x90
- 0x274b3:$tagasp_short1: <%e
- 0x275ee:$tagasp_short1: <%e
- 0x278fc:$tagasp_short1: <%@
- 0x27919:$tagasp_short1: <%e
- 0x63ea:$tagasp_short2: %>
- 0x1ca46:$tagasp_short2: %>
- 0x26ea5:$tagasp_short2: %>
- 0x26ece:$tagasp_short2: %>
- 0x26ee0:$tagasp_short2: %>
- 0x27602:$tagasp_short2: %>
- 0x27917:$tagasp_short2: %>
- 0x26ed0:$tagasp_long13: <%ev
- 0x274b3:$tagasp_long13: <%ev
- 0x275ee:$tagasp_long13: <%ev
- 0x27919:$tagasp_long13: <%ev
|
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0xd4b7:$sb3: -WindowStyle Hidden
- 0x2ee14:$sb3: -Windowstyle hidden
- 0x2ee07:$se2: -exec bypass
- 0xd4cb:$se3: -ExecutionPolicy Bypass
- 0x2ee07:$se4: -exec bypass
|
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp | Oilrig_IntelSecurityManager_macro | Detects OilRig malware | Eyal Sela (slightly modified by Florian Roth) | - 0x2e61b:$one6: Shell Environ$("COMSPEC") & " /c
- 0x2e6e2:$one6: Shell Environ$("COMSPEC") & " /c
- 0x2ec65:$one6: Shell Environ$("COMSPEC") & " /c
- 0x2ec86:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34)
- 0x2ec18:$two5: NullRefrencedException
- 0x2ec30:$two6: error has occurred in user32.dll by
- 0x2ec18:$two7: NullRefrencedException
|
00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp | JoeSecurity_Cobra_Locker | Yara detected Cobra Locker ransomware | Joe Security | |
00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x429d9:$payload4: eval(gzuncompress(base64_decode
- 0x2a84:$php_short: <?
- 0x7ac6:$php_short: <?
- 0x7e13:$php_short: <?
- 0x27a1a:$php_short: <?
- 0x27a83:$php_short: <?
- 0x27aec:$php_short: <?
- 0x27b55:$php_short: <?
- 0x27bbe:$php_short: <?
- 0x2c093:$php_short: <?
- 0x30d39:$php_short: <?
- 0x50b28:$php_short: <?
- 0x27a1a:$php_new2: <?php
- 0x27a83:$php_new2: <?php
- 0x27aec:$php_new2: <?php
- 0x27b55:$php_new2: <?php
- 0x27bbe:$php_new2: <?php
|
00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x18b28:$s1: stratum+tcp://
- 0x195bc:$s1: stratum+tcp://
- 0x1a968:$s1: stratum+tcp://
- 0x1ac90:$s1: stratum+tcp://
|
00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x27498:$s1: stratum+tcp://
- 0x280b4:$s1: stratum+tcp://
|
00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp | JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | |
00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp | CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye | - 0x1d676:$pdb1: \ADPassHunt\
- 0x1d687:$pdb2: \ADPassHunt.pdb
- 0x1d69b:$s1: Usage: .\ADPassHunt.exe
- 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute
- 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute
- 0x1d734:$s4: [GPP] Searching for passwords now
|
00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp | JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | |
00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x329d9:$payload4: eval(gzuncompress(base64_decode
- 0x17a1a:$php_short: <?
- 0x17a83:$php_short: <?
- 0x17aec:$php_short: <?
- 0x17b55:$php_short: <?
- 0x17bbe:$php_short: <?
- 0x1c093:$php_short: <?
- 0x20d39:$php_short: <?
- 0x40b28:$php_short: <?
- 0x17a1a:$php_new2: <?php
- 0x17a83:$php_new2: <?php
- 0x17aec:$php_new2: <?php
- 0x17b55:$php_new2: <?php
- 0x17bbe:$php_new2: <?php
|
00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp | Ammyy_Admin_AA_v3 | Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe | Florian Roth | - 0x35759:$x1: S:\Ammyy\sources\target\TrService.cpp
- 0x35783:$x2: S:\Ammyy\sources\target\TrDesktopCopyRect.cpp
- 0x357b5:$x3: Global\Ammyy.Target.IncomePort
- 0x357d8:$x4: S:\Ammyy\sources\target\TrFmFileSys.cpp
- 0x35804:$x5: Please enter password for accessing remote computer
- 0x3568f:$s1: CreateProcess1()#3 %d error=%d
- 0x356b2:$s2: CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name.
- 0x356f6:$s3: ERROR: CreateProcessAsUser() error=%d, session=%d
- 0x3572c:$s4: ERROR: FindProcessByName('explorer.exe')
|
00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp | SUSP_Script_Obfuscation_Char_Concat | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth | - 0x13a35:$s1: "c" & "r" & "i" & "p" & "t"
|
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0x27867:$sa2: -enCodEdCoMMANd
- 0x8cf9:$sb1: -w hidden
- 0x27853:$sb3: -WindOwsTyLe HiddEN
- 0x27848:$sc2: -NOPrOFiLe
- 0x27830:$se3: -ExECutioNPolicy bYpAsS
|
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp | JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | |
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp | JoeSecurity_Clop | Yara detected Clop Ransomware | Joe Security | |
00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp | JoeSecurity_Nemty | Yara detected Nemty Ransomware | Joe Security | |
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x18011:$s1: stratum+tcp://
- 0x1dc8f:$s1: stratum+tcp://
|
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp | WScriptShell_Case_Anomaly | Detects obfuscated wscript.shell commands | Florian Roth | - 0x301aa:$s1: WscRipt.sHeLl").Run
|
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp | vanquish_2 | Webshells Auto-generated - file vanquish.exe | Yara Bulk Rule Generator by Florian Roth | - 0x959:$s2: Vanquish - DLL injection failed:
|
00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp | SUSP_Script_Obfuscation_Char_Concat | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth | - 0x143ef:$s1: "c" & "r" & "i" & "p" & "t"
|
00000024.00000003.6333426467.00000197A331E000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp | hacktool_macos_keylogger_logkext | LogKext is an open source keylogger for Mac OS X, a product of FSB software. | @mimeframe | - 0x10fa6:$a1: logKextPassKey
- 0x10fd4:$b1: logKext Password:
- 0x10fe9:$b2: Logging controls whether the daemon is logging keystrokes (default is on).
- 0x10fa6:$c1: logKextPassKey
|
00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x266cb:$s1: stratum+tcp://
|
00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp | SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth | - 0x44b1:$r1: p^o^w^e^r^s^h^E^L^L
- 0x44b1:$r2: p^o^w^e^r^s^h^E^L^L
|
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x176d6:$s1: stratum+tcp://
- 0x17771:$s1: stratum+tcp://
- 0x178c8:$s1: stratum+tcp://
|
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp | MAL_unspecified_Jan18_1 | Detects unspecified malware sample | Florian Roth | - 0x172dd:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
- 0x172b3:$s4: start /b "" cmd /c del "%%~f0"&exit /b
- 0x2d0b5:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
- 0x1730e:$s6: %s\%s.bat
|
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp | JoeSecurity_Vidar | Yara detected Vidar stealer | Joe Security | |
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp | JoeSecurity_ByteLocker | Yara detected ByteLocker Ransomware | Joe Security | |
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp | JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | |
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp | JoeSecurity_Artemon | Yara detected Artemon Ransomware | Joe Security | |
00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp | JoeSecurity_lazparking | Yara detected LazParking Ransomware | Joe Security | |
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp | Base64_PS1_Shellcode | Detects Base64 encoded PS1 Shellcode | Nick Carr, David Ledbetter | - 0x3dd6b:$substring: AAAAYInlM
- 0x3dd67:$pattern1: /OiCAAAAYInlM
|
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp | Pupy_Backdoor | Detects Pupy backdoor | Florian Roth | - 0x31e9:$x4: reflective_inject_dll
- 0x31e9:$x8: reflective_inject_dll
- 0x31e9:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
|
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x223f8:$payload7: eval(base64_decode(
- 0x22422:$payload7: eval(base64_decode(
- 0x223f3:$php_short: <?
- 0x2241c:$php_short: <?
- 0x32fd0:$php_short: <?
- 0x35509:$php_short: <?
- 0x223f3:$php_new2: <?php
- 0x2241c:$php_new2: <?php
|
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp | JoeSecurity_Meterpreter | Yara detected Meterpreter | Joe Security | |
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp | JoeSecurity_RevengeRAT | Yara detected RevengeRAT | Joe Security | |
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp | JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | |
00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp | JoeSecurity_EvilGnomeRC5Key | Yara detected Linux EvilGnome RC5 key | unknown | |
00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x138b6:$s1: stratum+tcp://
|
00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x138b6:$s1: stratum+tcp://
|
00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp | SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth | - 0x2ad91:$r2: p^ower^shell
|
00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp | webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp | - 0x23c95:$new_php2: <?php
- 0x77af:$dynamic3: $U\xBF('
- 0x2243e:$gen_bit_sus11: "cmd.exe
- 0x23085:$gen_bit_sus11: "cmd.exe
- 0x242d8:$gen_bit_sus12: %comspec%
- 0x23ca0:$gen_bit_sus46: shell_
- 0x2a319:$gen_bit_sus47: Shell
- 0x2baa9:$gen_bit_sus47: Shell
- 0x5eab:$gen_bit_sus62: Cyber
- 0x5ed6:$gen_bit_sus62: Cyber
- 0x23c7b:$gen_much_sus8: WebShell
- 0x26a18:$gen_much_sus15: AntiVirus
- 0x2713c:$gen_much_sus15: AntiVirus
- 0x27f65:$gen_much_sus15: antivirus
- 0x28042:$gen_much_sus15: antivirus
- 0x28056:$gen_much_sus15: antivirus
- 0x2d83f:$gen_much_sus15: Antivirus
- 0x23c57:$gen_much_sus18: "unsafe
- 0x24600:$gen_much_sus24: exploit
- 0x227f0:$gen_much_sus25: Exploit
- 0x22ab1:$gen_much_sus25: Exploit
|
00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp | webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp | - 0x23c3e:$payload_and_input1: eval(request.
- 0x23c3c:$tagasp_short1: <%e
- 0x23c61:$tagasp_short2: %>
- 0x23c3c:$tagasp_long13: <%ev
- 0x2a243:$jsp4: public
- 0x2a2a1:$jsp4: public
|
00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x329d9:$payload4: eval(gzuncompress(base64_decode
- 0x17a1a:$php_short: <?
- 0x17a83:$php_short: <?
- 0x17aec:$php_short: <?
- 0x17b55:$php_short: <?
- 0x17bbe:$php_short: <?
- 0x1c093:$php_short: <?
- 0x20d39:$php_short: <?
- 0x40b28:$php_short: <?
- 0x17a1a:$php_new2: <?php
- 0x17a83:$php_new2: <?php
- 0x17aec:$php_new2: <?php
- 0x17b55:$php_new2: <?php
- 0x17bbe:$php_new2: <?php
|
00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6299736334.00000197A2ED4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp | Cobaltbaltstrike_Payload_Encoded | Detects CobaltStrike payloads | Avast Threat Intel Team | - 0x1c1ea:$s05: fce8890000006089e531d2648b52308b
|
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp | webshell_php_obfuscated_encoding | PHP webshell obfuscated by encoding | Arnim Rupp | - 0xdd78:$enc_eval1: \x65\x76\x61\x6c\x28
- 0xdd78:$enc_eval2: \x65\x76\x61\x6c\x28
- 0x5676:$php_short: <?
- 0xc9ee:$php_short: <?
- 0xca79:$php_short: <?
- 0xcb04:$php_short: <?
- 0xfede:$php_short: <?
- 0x10d31:$php_short: <?
- 0x342da:$php_short: <?
- 0x3530f:$php_short: <?
- 0x36ab7:$php_short: <?
- 0x3a253:$php_short: <?
- 0x36ab7:$php_new2: <?php
|
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp | webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp | - 0x36ab7:$new_php2: <?php
- 0x363c2:$dynamic3: $_server[base64_decode('
- 0xce4c:$gen_bit_sus11: "cmd.exe
- 0xced8:$gen_bit_sus11: "cmd.exe
- 0xcfef:$gen_bit_sus11: "cmd.exe
- 0xfdcb:$gen_bit_sus11: "cmd.exe
- 0x1ed35:$gen_bit_sus47: Shell
- 0x2e9d3:$gen_bit_sus47: Shell
- 0x212fd:$gen_bit_sus50: bypass
- 0x3621e:$gen_bit_sus50: bypass
- 0x36458:$gen_bit_sus59: 'cmd'
- 0x1dae3:$gen_bit_sus60: "execute"
- 0x1db1a:$gen_bit_sus60: "execute"
- 0x1c0ec:$gen_bit_sus62: Cyber
- 0x1c18c:$gen_bit_sus62: Cyber
- 0x34c4a:$gen_bit_sus69: $cmd
- 0xe1be:$gen_much_sus8: Webshell
- 0x25860:$gen_much_sus8: Webshell
- 0x35289:$gen_much_sus8: WebShell
- 0x35525:$gen_much_sus8: Webshell
- 0x36409:$gen_much_sus8: Webshell
|
00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0xdd78:$opbs77: \x65\x76\x61\x6c\x28
- 0x5676:$php_short: <?
- 0xc9ee:$php_short: <?
- 0xca79:$php_short: <?
- 0xcb04:$php_short: <?
- 0xfede:$php_short: <?
- 0x10d31:$php_short: <?
- 0x342da:$php_short: <?
- 0x3530f:$php_short: <?
- 0x36ab7:$php_short: <?
- 0x3a253:$php_short: <?
- 0x36ab7:$php_new2: <?php
|
00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x2abc1:$s1: stratum+tcp://
- 0x2ac01:$s1: stratum+tcp://
|
00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6270634530.00000197A4698000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth | - 0x35ec2:$sb1: -w hidden
- 0x35ecc:$sc1: -nop
- 0x35ed1:$se1: -ep bypass
- 0x7d49:$se3: -ExecutionPolicy Bypass
|
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0xfeb8:$s1: stratum+tcp://
|
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp | JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | |
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp | JoeSecurity_Clop | Yara detected Clop Ransomware | Joe Security | |
00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp | JoeSecurity_Cute | Yara detected Cute Ransomware | Joe Security | |
00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp | JoeSecurity_Njrat | Yara detected Njrat | Joe Security | |
00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x329d9:$payload4: eval(gzuncompress(base64_decode
- 0x17a1a:$php_short: <?
- 0x17a83:$php_short: <?
- 0x17aec:$php_short: <?
- 0x17b55:$php_short: <?
- 0x17bbe:$php_short: <?
- 0x1c093:$php_short: <?
- 0x20d39:$php_short: <?
- 0x40b28:$php_short: <?
- 0x17a1a:$php_new2: <?php
- 0x17a83:$php_new2: <?php
- 0x17aec:$php_new2: <?php
- 0x17b55:$php_new2: <?php
- 0x17bbe:$php_new2: <?php
|
00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0xfebc:$payload7: eval(base64_decode(
- 0xd4d7:$php_short: <?
- 0xd507:$php_short: <?
- 0xdbf3:$php_short: <?
- 0x378dc:$php_short: <?
- 0x37d93:$php_short: <?
- 0x39caf:$php_short: <?
- 0x3a56b:$php_short: <?
- 0xd4d7:$php_new2: <?php
- 0x37d93:$php_new2: <?php
- 0x39caf:$php_new2: <?php
- 0x3a56b:$php_new2: <?php
|
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp | webshell_php_by_string_known_webshell | Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions. | Arnim Rupp | - 0x394f7:$pbs7: pwnshell
- 0xd4d7:$php_short: <?
- 0xd507:$php_short: <?
- 0xdbf3:$php_short: <?
- 0x378dc:$php_short: <?
- 0x37d93:$php_short: <?
- 0x39caf:$php_short: <?
- 0x3a56b:$php_short: <?
- 0xd4d7:$php_new2: <?php
- 0x37d93:$php_new2: <?php
- 0x39caf:$php_new2: <?php
- 0x3a56b:$php_new2: <?php
|
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp | Oilrig_IntelSecurityManager | Detects OilRig malware | Eyal Sela | - 0x2711b:$one3: srvCheckresponded
|
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x29a49:$s1: stratum+tcp://
|
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp | JoeSecurity_Winexe_tool | Yara detected Winexe tool | Joe Security | |
00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6328572357.00000197A4180000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0xd5e:$opbs48: se'.(32*2)
- 0x179f:$php_short: <?
- 0x184cc:$php_short: <?
- 0x179f:$php_new2: <?php
|
00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp | Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth | - 0x3e14:$s12: sekurlsa::tickets
|
00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp | webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp | - 0x3778:$payload_and_input2: execute(request(
- 0x320b:$tagasp_short1: <%v
- 0x3776:$tagasp_short1: <%e
- 0xd619:$tagasp_short1: <%R
- 0x29da0:$tagasp_short1: <%\x03
- 0x2aac4:$tagasp_short1: <%\xC0
- 0x378f:$tagasp_short2: %>
- 0xa4fc:$tagasp_short2: %>
- 0x24f8a:$tagasp_short2: %>
- 0x3776:$tagasp_long12: <%ex
- 0x17400:$jsp4: public
- 0x17787:$jsp4: public
|
00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp | JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | |
00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp | JoeSecurity_MSIL_Load_Encrypted_Assembly | Yara detected MSIL_Load_Encrypted_Assembly | Joe Security | |
00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp | CVE_2018_4878_0day_ITW | unknown | unknown | - 0x2bce5:$known1: f:\work\flash\obfuscation\loadswf\src
- 0x2bce5:$known5: f:\work\flash\obfuscation\loadswf\src
- 0x2bcc2:$loader3: loadswf
- 0x2bcd3:$loader3: loadswf
- 0x2bcdd:$loader3: loadswf
- 0x2bcff:$loader3: loadswf
- 0xd6ed:$flash_magic: 46 57 53
|
00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp | CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye | - 0x1d676:$pdb1: \ADPassHunt\
- 0x1d687:$pdb2: \ADPassHunt.pdb
- 0x1d69b:$s1: Usage: .\ADPassHunt.exe
- 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute
- 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute
- 0x1d734:$s4: [GPP] Searching for passwords now
|
00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp | JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | |
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp | SUSP_PowerShell_IEX_Download_Combo | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth | - 0xfeb1:$x1: IEX ((new-object net.webclient).download
- 0xff04:$x1: IEX ((new-object net.webclient).download
- 0xff58:$x1: IEX ((new-object net.webclient).download
- 0xffb9:$x1: IEX ((new-object net.webclient).download
|
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp | webshell_php_generic | php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings | Arnim Rupp | - 0x774d:$php_short: <?
- 0x1f1a6:$php_short: <?
- 0x1f1a6:$php_new2: <?php
- 0x1f1b3:$inp4: _POST[
- 0x17554:$cpayload1: eval("
- 0x17605:$cpayload1: eval("
- 0x1f1ad:$cpayload1: eval($
- 0x3d502:$cpayload1: eval(f
- 0x368d9:$cpayload2: exec("
- 0x7dd8:$gen_bit_sus1: :eval}
- 0xeb85:$gen_bit_sus10: "cmd"
- 0xa4f9:$gen_bit_sus12: %comspec%
- 0xff94:$gen_bit_sus46: shell_
- 0x2cb0:$gen_bit_sus47: Shell
- 0x12f76:$gen_bit_sus47: Shell
- 0x12fb8:$gen_bit_sus47: Shell
- 0x12fd2:$gen_bit_sus47: Shell
- 0x13f6d:$gen_bit_sus47: Shell
- 0x3ee98:$gen_bit_sus47: Shell
- 0x31365:$gen_bit_sus61: /bin/sh
- 0xbd68:$gen_bit_sus66: whoami
|
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp | webshell_php_generic_eval | Generic PHP webshell which uses any eval/exec function in the same line with user input | Arnim Rupp | - 0x1f1ad:$geval: eval($_POST
|
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp | webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp | - 0x1f1a6:$new_php2: <?php
- 0xb0ab:$dynamic1: $duration($
- 0xb0b5:$dynamic1: $calc($
- 0xb0d7:$dynamic1: $bytes($
- 0xb0de:$dynamic1: $calc($
- 0xb0fe:$dynamic1: $calc($
- 0xb524:$dynamic1: $nick($
- 0x7dd8:$gen_bit_sus1: :eval}
- 0xeb85:$gen_bit_sus10: "cmd"
- 0xa4f9:$gen_bit_sus12: %comspec%
- 0xff94:$gen_bit_sus46: shell_
- 0x2cb0:$gen_bit_sus47: Shell
- 0x12f76:$gen_bit_sus47: Shell
- 0x12fb8:$gen_bit_sus47: Shell
- 0x12fd2:$gen_bit_sus47: Shell
- 0x13f6d:$gen_bit_sus47: Shell
- 0x3ee98:$gen_bit_sus47: Shell
- 0x31365:$gen_bit_sus61: /bin/sh
- 0xbd68:$gen_bit_sus66: whoami
- 0x2e6a:$gen_much_sus25: Exploit
- 0x3085:$gen_much_sus25: Exploit
|
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp | webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp | - 0x1f1cc:$payload_and_input2: execute request(
- 0x1f1ca:$tagasp_short1: <%e
- 0x1c5a8:$tagasp_short2: %>
- 0x1f1e9:$tagasp_short2: %>
- 0x1f1ca:$tagasp_long12: <%ex
|
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp | ChinaChopper_Generic | China Chopper Webshells - PHP and ASPX | Florian Roth | - 0x1f1a8:$php: php @eval($_POST[
|
00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp | JoeSecurity_mock | Yara detected Mock Ransomware | Joe Security | |
00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp | WScriptShell_Case_Anomaly | Detects obfuscated wscript.shell commands | Florian Roth | - 0x12e1d:$s1: WScript.Shell").run
|
00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp | JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | |
00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp | xtremrat | Xtrem RAT v3.5 | Jean-Philippe Teissier / @Jipe_ | - 0x2ff92:$a: XTREME
- 0x2ffa4:$a: XTREME
- 0x2ffa4:$b: XTREMEBINDER
|
00000024.00000003.6287839327.00000197A4D21000.00000004.00000001.sdmp | webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp | - 0x11dd1:$asp_much_sus8: Webshell
- 0x3129:$asp_much_sus15: antivirus
- 0x313f:$asp_much_sus15: antivirus
- 0x3261:$asp_much_sus15: Antivirus
- 0x333d:$asp_much_sus15: antivirus
- 0x3370:$asp_much_sus15: antivirus
- 0x338e:$asp_much_sus15: antivirus
- 0x33a6:$asp_much_sus15: antivirus
- 0x33d1:$asp_much_sus15: antivirus
- 0x3428:$asp_much_sus15: antivirus
- 0x343e:$asp_much_sus15: antivirus
- 0x3769:$asp_much_sus15: antivirus
- 0x3854:$asp_much_sus15: antivirus
- 0x386d:$asp_much_sus15: antivirus
- 0x3886:$asp_much_sus15: antivirus
- 0x3976:$asp_much_sus15: Antivirus
- 0x10b9e:$asp_much_sus28: exploit
- 0xf376:$asp_gen_obf1: "+"
- 0xf37c:$asp_gen_obf1: "+"
- 0x10183:$asp_gen_obf1: "+"
- 0x10a44:$asp_gen_obf1: "+"
|
00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x319d9:$payload4: eval(gzuncompress(base64_decode
- 0x16a1a:$php_short: <?
- 0x16a83:$php_short: <?
- 0x16aec:$php_short: <?
- 0x16b55:$php_short: <?
- 0x16bbe:$php_short: <?
- 0x1b093:$php_short: <?
- 0x1fd39:$php_short: <?
- 0x3fb28:$php_short: <?
- 0x16a1a:$php_new2: <?php
- 0x16a83:$php_new2: <?php
- 0x16aec:$php_new2: <?php
- 0x16b55:$php_new2: <?php
- 0x16bbe:$php_new2: <?php
|
00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x22e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x22ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x235bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x235ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x235fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x23b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x23b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x7bd8:$s1: stratum+tcp://
|
00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp | GoldDragon_Aux_File | Detects export from Gold Dragon - February 2018 | Florian Roth | - 0x2dc2c:$x1: /////////////////////regkeyenum////////////
|
00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x102e5:$s1: stratum+tcp://
|
00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp | HackTool_Samples | Hacktool | unknown | - 0x31ba2:$c: Failed to load SAM functions
|
00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp | PS_AMSI_Bypass | Detects PowerShell AMSI Bypass | Florian Roth | - 0x1c178:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
|
00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp | Pupy_Backdoor | Detects Pupy backdoor | Florian Roth | - 0x3518b:$x1: reflectively inject a dll into a process.
- 0x35171:$x4: reflective_inject_dll
- 0x35228:$x4: reflective_inject_dll
- 0x35171:$x8: reflective_inject_dll
- 0x35228:$x8: reflective_inject_dll
- 0x35228:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
|
00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x217f1:$s1: stratum+tcp://
|
00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp | JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | |
00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x329d9:$payload4: eval(gzuncompress(base64_decode
- 0x17a1a:$php_short: <?
- 0x17a83:$php_short: <?
- 0x17aec:$php_short: <?
- 0x17b55:$php_short: <?
- 0x17bbe:$php_short: <?
- 0x1c093:$php_short: <?
- 0x20d39:$php_short: <?
- 0x40b28:$php_short: <?
- 0x17a1a:$php_new2: <?php
- 0x17a83:$php_new2: <?php
- 0x17aec:$php_new2: <?php
- 0x17b55:$php_new2: <?php
- 0x17bbe:$php_new2: <?php
|
00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67
- 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
- 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67
- 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
|
00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp | Pupy_Backdoor | Detects Pupy backdoor | Florian Roth | - 0x28ead:$x4: reflective_inject_dll
- 0x28ead:$x8: reflective_inject_dll
- 0x28ead:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
|
00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x2cbb:$s1: stratum+tcp://
|
00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp | JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | |
00000024.00000003.6294115539.00000197A3970000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp | SUSP_PowerShell_IEX_Download_Combo | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth | - 0x3c932:$x1: IEX ((new-object net.webclient).download
|
00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x3a1e:$s1: stratum+tcp://
|
00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0x925f:$s1: stratum+tcp://
|
00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp | JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | |
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp | APT_MAL_Sandworm_Exaramel_Configuration_Key | Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... | FR/ANSSI/SDO | - 0x3b8ac:$: odhyrfjcnfkdtslt
|
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0xd67e:$payload7: eval(base64_decode(
- 0xd669:$php_short: <?
- 0xe4dd:$php_short: <?
- 0x26827:$php_short: <?
- 0xd669:$php_new2: <?php
- 0xe4dd:$php_new2: <?php
|
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp | CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth | - 0xd734:$s1: stratum+tcp://
|
00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Flor |