Play interactive tourEdit tour
Windows Analysis Report Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
Overview
General Information
Detection
RemCom RemoteAdmin Mimikatz HawkEye Imminent Nanocore Remcos 0x0M4R
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected PasteDownloader
Detected Hacktool Mimikatz
Yara detected BlackMoon Ransomware
Yara detected Snake Keylogger
Yara detected Ragnarok ransomware
Yara detected Evrial Stealer
Yara detected Avaddon Ransomware
Yara detected GhostRat
Yara detected Mini RAT
Yara detected BLACKMatter Ransomware
Yara detected Koadic
Yara detected Jigsaw
Antivirus detection for URL or domain
Yara detected AESCRYPT Ransomware
Yara detected Rapid ransomware
Yara detected RansomwareGeneric
Yara detected Ouroboros ransomware
Yara detected Fiesta Ransomware
Yara detected LimeRAT
Yara detected GuLoader
Yara detected Chaos Ransomware
Yara detected Hancitor
Yara detected TeslaCrypt Ransomware
Found malware configuration
Yara detected Mock Ransomware
Yara detected Conti ransomware
Yara detected Generic Dropper
Yara detected NoCry Ransomware
Yara detected ByteLocker Ransomware
Yara detected RegretLocker Ransomware
Yara detected Crypt ransomware
Yara detected Meterpreter
Yara detected Clop Ransomware
Yara detected Xmrig cryptocurrency miner
Yara detected LockBit ransomware
Yara detected Arcane Stealer
Yara detected LOCKFILE ransomware
Yara detected Cerber ransomware
Yara detected Rhino ransomware
Yara detected Niros Ransomware
Yara detected Buran Ransomware
Yara detected VHD ransomware
Yara detected generic Shellcode Injector
Yara detected Netwalker ransomware
Yara detected Vidar stealer
Yara detected Jcrypt Ransomware
Yara detected Delta Ransomware
Yara detected Predator
Yara detected Mimikatz
Detected HawkEye Rat
Detected Remcos RAT
Yara detected RevengeRAT
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected LaZagne password dumper
Yara detected Metasploit Payload
Yara detected LazParking Ransomware
Yara detected Discord Token Stealer
Yara detected MailPassView
Yara detected Parallax RAT
Yara detected Zeppelin Ransomware
Yara detected Apis Ransomware
Yara detected Wannacry ransomware
Yara detected MegaCortex Ransomware
Yara detected Valak
Yara detected AntiVM3
Yara detected Cobra Locker ransomware
Yara detected RekenSom ransomware
Detected Nanocore Rat
Yara detected Babuk Ransomware
Yara detected Nemty Ransomware
Yara detected NetWire RAT
Yara detected Linux EvilGnome RC5 key
Yara detected Clay Ransomware
Yara detected Thanos ransomware
Yara detected CryLock ransomware
Yara detected Pony
Yara detected OCT Ransomware
Yara detected Snatch Ransomware
Yara detected Coinhive miner
Yara detected Knot Ransomware
Yara detected Gocoder ransomware
Detected Imminent RAT
Yara detected BitCoin Miner
Yara detected WannaRen ransomware
Yara detected Baldr
Multi AV Scanner detection for submitted file
Yara detected Ryuk ransomware
Yara detected Zeoticus ransomware
Yara detected Porn Ransomware
Benign windows process drops PE files
Yara detected DarkSide Ransomware
Malicious sample detected (through community Yara rule)
Yara detected HiddenTear ransomware
Yara detected Telegram RAT
Yara detected WormLocker Ransomware
Yara detected Nephilim Ransomware
Yara detected Mailto ransomware
Yara detected Voidcrypt Ransomware
Yara detected Njrat
Yara detected GoGoogle ransomware
Yara detected Axiom Ransomware
Yara detected Ransomware32
Yara detected Artemon Ransomware
Yara detected Betabot
Yara detected Covid19 Ransomware
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Yara detected CryptoWall ransomware
Yara detected Cryptolocker ransomware
Yara detected Marvel Ransomware
Multi AV Scanner detection for domain / URL
Yara detected Codoso Ghost
Yara detected Cute Ransomware
Yara detected 0x0M4R Ransomware
Yara detected Growtopia
Yara detected Windows Security Disabler
Yara detected Amnesia ransomware
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
May modify the system service descriptor table (often done to hook functions)
Yara detected AllatoriJARObfuscator
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Uses dynamic DNS services
Hides threads from debuggers
Writes to foreign memory regions
Yara detected MSILLoadEncryptedAssembly
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
May enable test signing (to load unsigned drivers)
Deletes shadow drive data (may be related to ransomware)
Found strings related to Crypto-Mining
Tries to detect Any.run
Found Tor onion address
Sample is not signed and drops a device driver
DLL side loading technique detected
Uses ipconfig to lookup or modify the Windows network settings
Found string related to ransomware
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
May drop file containing decryption instructions (likely related to ransomware)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Creates driver files
Checks if the current process is being debugged
May initialize a security null descriptor
Deletes files inside the Windows folder
Contains functionality to query the security center for anti-virus and firewall products
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Yara detected RemCom RemoteAdmin tool
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
PE file contains an invalid checksum
Contains strings related to BOT control commands
Detected TCP or UDP traffic on non-standard ports
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Winexe tool
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Yara detected Keylogger Generic
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
×
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: GuLoader |
---|
{"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"}
Threatname: Pony |
---|
{"C2 list": ["http://download.enet.com.cn/search.php?keyword=%s", "http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/", "http://ow.ly/QoHbJ", "http://santasalete.sp.gov.br/jss/", "http://www.redirserver.com/update4.cfm?tid=&cn_id=", "http://194.5.249.107/2nquxqz2ok4a45l.php", "http://www.youndoo.com/?z=", "http://%s%simg.jpg", "http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn", "http://vod.7ibt.com/index.php?url=", "http://microhelptech.com/gotoassist/", "http://malikberry.com/files101/htamandela.hta", "http://%domain%/update.php", "http://d.sogou.com/music.so?query=%s", "http://%s:%d/%s%d%08d", "http://%s:%i%s?mod=cmd", "http://pages", "http://www.zxboy.com#http://", "http://p.zhongsou.com/p?w=%s", "http://88888888.7766.org/ExeIni", "http://update.7h4uk.com:443/antivirus.php", "http://23.95.122.25/..-.-................-.....-------------/..............................................................................................dot\"targetmode=\"external\"/></relationships>", "http://flash.chinaren.com/ip/ip.php", "http://jump.qq.com/clienturl_15", "http://dialup.carpediem.fr/perl/countdialupinter.pl?", "http://www.piram.com.br/hosts.txt", "http://www.now.cn/?SCPMCID=", "http://110.42.4.180:", "http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s", "http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp", "http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/", "http://www.cashon.co.kr/app/app.php?url=", "http://stats.hosting24.com/count.php", "http://192.189.25.17/cgbin/ukbros", "http://pig.zhongsou.com/helpsimple/help.htm", "http://zsxz.zhongsou.com/route/", "http://whatami.us.to/tc", "http://whenyouplaygood.com/s/gate.php?a\");f[\"\\x73\\x65\\x6e\\x64\"]();eval(f[\"responsetext\"", "http://23.249.163.163/qwerty.exe", "http://92.222.7.", "http://darkside", "http://so1.5k5.net/interface?action=install&p=", "http://www.gamedanji.cn/ExeIni", "http://gosgd.com", "http://find.verycd.com/folders?cat=movie&kw=%s", "http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s", "http://216.172.172.40/~agora546/cardoso/dilma.zip", "http://www.cashon.co.kr/app/uninstall.php?", "http://www.moliv.com.br/stat/email0702/", "http://foo.w97.cn/data/file/kwbuf.ini", "http://chemgioaz.blogspot.com/ ", "http://init.icloud-analysis.com", "http://img.zhongsou.com/i?w=%s", "http://new.beahh.com/startup.php", "http://pznjaslo.pl/wp-content/outstanding-invoices/", "http://instamailserver.link/finito.ps1", "http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56", "http://mp3.baidu.com/m?tn=baidump3lyric&ct=", "http://3dplayful.blogspot.com/ ", "http://stroyprivoz.ru/dokumente-vom-notar/", "http://a.pomf.cat/", "http://hotedeals.co.uk/ekck095032/", "http://www.iask.com/s?k=%s", "http://vidquick.info/cgi/", "http://gg", "http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php", "http://search.newhua.com/search.asp?Keyword=%s", "http://(www|corail)\\\\.sudoc", "http://stat.wamme.cn/C8C/gl/cnzz60.html", "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline", "http://mp3.zhongsou.com/m?w=%s", "http://yc.book.sohu.com/series_list.php?select=1&text=%s", "http://kremlin-malwrhunterteam.info/scan.exe", "http://8nasrcity.blogspot.com/ ", "http://www.preyer.it/ups.com/", "http://bittupadam.blogspot.com/", "http://search.btchina.net/search.php?query=%s", "http://www.bluelook.es/bvvtbbh.php", "http://articlunik.blogspot.com/", "http://localhost:62338/Chipsetsync.asmx", "http://www.microsoft.com0", "http://%20%20@j.mp/as", "http://ys.cn.yahoo.com/mohu/index.html?p=%s", "http://coltaddict.blogspot.com/", "http://jump.qq.com/clienturl_100?clientuin=", "http://www.ip.com.cn/idcard.php?q=%s", "http://www.thon-samson.be/js/_notes/", "http://rl.ammyy.com", "http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14", "http://animefrase.blogspot.com/", "http://binyousafindustries.com/fonts/jo/mops.exe", "http://images.google.cn/images?q=%s", "http://aindonashi.blogspot.com/", "http://alindaenua.blogspot.com/", "http://v.iask.com/v?tag=&k=%s", "http://www.w3.org/1999/xsl/transform", "http://95.173.183.", "http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint@truvo.be", "http://www.cashon.co.kr/search/search.php", "http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=", "http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/", "http://vequiato.sites.uol.com.br/", "http://</t></si><si><t>188.127.231.", "http://127.0.0.1:20202/remind.html", "http://92.38.135.46/43cfqysryip51zzq.php", "http://%s%s", "http://208.95.104.", "http://abeidaman.blogspot.com/ ", "http://flow4.6299.cc/ClientAPI/flowtaskAPI.aspx", "http://20vp.cn/moyu/", "http://www.look2me.com", "http://www.wosss.com/search.aspx?q=%s", "http://www.3322.org/dyndns/getip", "http://www.ip.com.cn/ip.php?q=%s", "http://81.177.26.20/ayayay", "http://cvfanatic.blogspot.com/ ", "http://best4hack.blogspot.com/ ", "http://cicahroti.blogspot.com/ ", "http://www.j.mp/", "http://anomaniez.blogspot.com/ ", "http://62.210.214.", "http://bonkersmen.blogspot.com/", "http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php", "http://search.17173.com/index.jsp?keyword=%s", "http://www.22teens.com/", "http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk", "http://%s:%i%s", "http://vidscentral.net/inc/6348852", "http://download.zhongsou.com/cdsearch/", "http://babukq4e2p4wu4iq.onion", "http://aspx.vod38.com/", "http://200.159.128.", "http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s", "http://www.soso.com/q?w=%s", "http://kavok.ind.br/ds/2312.gif", "http://www.tempuri.org/DataSet1.xsd", "http://batrasiaku.blogspot.com/", "http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/", "http://bigboobsp.blogspot.com/ ", "http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com\"target=\"_blank", "http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=", "http://www.look2me.com/products/", "http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/", "http://ks.pconline.com.cn/index.jsp?qx=download&q=%s", "http://blog.x-row.net/", "http://ads.8866.org/", "http://spotdewasa.blogspot.com/", "http://www.zhongsou.com/kefu/zskf.htm", "http://bit.ly", "http://adsl.carpediem.fr/perl/invoc_oneway.pl?", "http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/", "http://31.192.210.", "http://www.daybt.com/query.asp?q=%s", "http://3117488091/lib/jquery-3.2.1.min.js", "http://funsiteshere.com/redir.php", "http://pic.sogou.com/pics?query=%s", "http://softthrifty.com/security.jsp", "http://www.tq121.com.cn/", "http://dialup.carpediem.fr/perl/dialup.pl", "http://z1.nf-2.net/512.txt", "http://alhalm-now.blogspot.com/", "http://31.192.209.", "http://94.102.14.", "http://aolopdephn.blogspot.com/", "http://50.63.128.", "http://dontkillme/", "http://agressor58.blogspot.com/", "http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php", "http://gosgd2.com", "http://musah.info/", "http://berkah2013.blogspot.com/", "http://wevx.xyz/post.php?uid=", "http://search.union.yahoo.com.cn/click/search.htm?m=", "http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s", "http://www.sagawa-exp.co.jp/", "http://www.look2me.com/cgi", "http://lo0oading.blogspot.com/ ", "http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e", "http://61.19.253.", "http://www.klikspaandelft.nl/", "http://xn--", "http://www.trotux.com/?z=", "http://arifkacip.blogspot.com/ ", "http://clients.lb1networks.com/upd.php?", "http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s", "http://go.58.com/?f=", "http://aspx.qqus.net/wanmei/login.asp", "http://afkar.today/test_coming.training/w_f/", "http://www.3000.ws/", "http://js.pkglayer.com", "http://p.iask.com/p?k=%s", "http://hostthenpost.org/uploads/", "http://www.iciba.com/search?s=%s", "http://%domain%/config.php", "http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=", "http://rapidshare.com/files/", "http://www.mypaymate.com/dialerplatform/tmp.htm", "http://www.baidu.com/baidu?tn=", "http://%s/%s/?m=e&p1=%s&p2=%s&p3=%s", "http://www.sogou.com/web?query=%s", "http://www.sacbarao.kinghost.net/", "http://www.2345.com", "http://203.199.200.61", "http://music.cn.yahoo.com/lyric.html?p=%s", "http://ahmad-roni.blogspot.com/", "http://www.inet4you.com/exit/", "http://185.153.198.216:8010/UserService", "http://search.crsky.com/search.asp?sType=ResName&keyword=%s", "http://www.google.cn/search?q=%s", "http://games.enet.com.cn/article/SearchCategory.php?key=%s", "http://citw-vol2.blogspot.com/ ", "http://ks.pcgames.com.cn/games_index.jsp?q=%s", "http://music.soso.com/q?sc=mus&w=%s", "http://ksn.a", "http://webpatch.ragnarok.co.kr/", "http://2010-kpss.blogspot.com/ ", "http://image.soso.com/image.cgi?w=%s", "http://cbl.toolbar4free.com/cgi-bin/s.exe", "http://aitimatafb.blogspot.com/", "http://61.160.222.11:", "http://mp3.baidu.com/m?tn=", "http://%s/ftp/g.php", "http://weather.265.com/%s", "http://toolbar.deepdo.com/download/", "http://888888.2288.org/Monitor_INI", "http://%s/any2/%s-direct.ex", "http://www.ip.com.cn/mobile.php?q=%s", "http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname", "http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&dyfm=cpjyicit", "http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/", "http://www.qq994455.com/", "http://%s", "http://www.ip.com.cn/tel.php?q=%s", "http://community.derbiz.com/", "http://31.192.211.", "http://\"+hashdate().tostring(16)+\".eu/script.html", "http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&i=1a3a1a", "http://errors.statsmyapp.com/installer-error.gif?action=wrapper", "http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/", "http://fateh.aba.ae/xyzx.zip", "http://www.ip138.com", "http://gaigoixxx.blogspot.com/ ", "http://batysnewskz.kz/ups.com", "http://104.236.94.", "http://70.38.40.185", "http://1bestgate.blogspot.com/ ", "http://0.82211.net/", "http://dl.dropbox.com/u/", "http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/", "http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw", "http://acayipbiri.blogspot.com/", "http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/", "http://fateh.aba.ae/abc.zip", "http://www.agendagyn.com/media/fotos/2010/", "http://avnisevinc.blogspot.com/", "http://www.linkinc.es/scss/water.php", "http://ip-api.com/", "http://autothich.blogspot.com/ ", "http://www.cashon.co.kr/app/install.php?", "http://178.79.137.25/campo/", "http://srmvx.com.br/uploads/", "http://cert.beahh.com/cert.php", "http://calleveinte.com.mx/ups-quantum-view", "http://cs.zhongsou.com/", "http://foo.w97.cn/SoftInterFace/SearchNum.aspx", "http://weather.265.com/get_weather.php?action=get_city", "http://tempuri.org/", "http://tool.world2.cn/toolbar/", "http://mitotl.com.mx/ups.com/", "http://www.yodao.com/search?ue=utf8&q=%s", "http://%20%20@j.mp/axas", "http://aancyber77.blogspot.com/", "http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/", "http://www.", "http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=", "http://arthisoft.blogspot.com/ ", "http://sf3q2wrq34.ddns.net"]}
Threatname: Metasploit |
---|
{"Type": "Execute Command", "Command": "\u0001"}
Threatname: CryLock |
---|
{"Extensions": "%d str_charcodeat DosDateTimeToFileTime() failed, err = %d str_tolowercase String.prototype.toLowerCase() is not a constructor const pea_calls_unimplemented_api Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz(MSI Stream %d)(Ole Stream %d)0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._SSF:ScanAllStreamselement.getElementsByTagName() called on non-DOM objectcryptoMpCommon(Message.%zu: %hs - %hs)(Message.%zu)No subject%lld"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
RemCom_RemoteCommandExecution | Detects strings from RemCom tool | Florian Roth |
| |
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
ZxShell_Jul17 | Detects a ZxShell - CN threat group | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye |
| |
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Pupy_Backdoor | Detects Pupy backdoor | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | ||
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
APT_Backdoor_Win_GoRat_Memory | Identifies GoRat malware in memory based on strings. | FireEye |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
JoeSecurity_Baldr | Yara detected Baldr | Joe Security | ||
JoeSecurity_Knot | Yara detected Knot Ransomware | Joe Security | ||
JoeSecurity_Nemty | Yara detected Nemty Ransomware | Joe Security | ||
JoeSecurity_Nephilim | Yara detected Nephilim Ransomware | Joe Security | ||
xtremrat | Xtrem RAT v3.5 | Jean-Philippe Teissier / @Jipe_ |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
hacktool_macos_keylogger_logkext | LogKext is an open source keylogger for Mac OS X, a product of FSB software. | @mimeframe |
| |
webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp |
| |
RemCom_RemoteCommandExecution | Detects strings from RemCom tool | Florian Roth |
| |
JoeSecurity_RemComRemoteAdmin | Yara detected RemCom RemoteAdmin tool | Joe Security | ||
SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
MAL_unspecified_Jan18_1 | Detects unspecified malware sample | Florian Roth |
| |
JoeSecurity_Vidar | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_ByteLocker | Yara detected ByteLocker Ransomware | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_Artemon | Yara detected Artemon Ransomware | Joe Security | ||
JoeSecurity_lazparking | Yara detected LazParking Ransomware | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
SUSP_PowerShell_IEX_Download_Combo | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth |
| |
webshell_php_generic | php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings | Arnim Rupp |
| |
webshell_php_generic_eval | Generic PHP webshell which uses any eval/exec function in the same line with user input | Arnim Rupp |
| |
webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp |
| |
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
ChinaChopper_Generic | China Chopper Webshells - PHP and ASPX | Florian Roth |
| |
JoeSecurity_mock | Yara detected Mock Ransomware | Joe Security | ||
WScript_Shell_PowerShell_Combo | Detects malware from Middle Eastern campaign reported by Talos | Florian Roth |
| |
JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | ||
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | ||
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
webshell_php_by_string_known_webshell | Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions. | Arnim Rupp |
| |
Oilrig_IntelSecurityManager | Detects OilRig malware | Eyal Sela |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Winexe_tool | Yara detected Winexe tool | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
SUSP_Script_Obfuscation_Char_Concat | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
xtremrat | Xtrem RAT v3.5 | Jean-Philippe Teissier / @Jipe_ |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
SUSP_PowerShell_IEX_Download_Combo | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye |
| |
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Oilrig_IntelSecurityManager_macro | Detects OilRig malware | Eyal Sela (slightly modified by Florian Roth) |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_gogoogle | Yara detected GoGoogle ransomware | Joe Security | ||
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | ||
Cobaltbaltstrike_Payload_Encoded | Detects CobaltStrike payloads | Avast Threat Intel Team |
| |
webshell_php_obfuscated_encoding | PHP webshell obfuscated by encoding | Arnim Rupp |
| |
webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp |
| |
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Tofu_Backdoor | Detects Tofu Trojan | Cylance |
| |
WScriptShell_Case_Anomaly | Detects obfuscated wscript.shell commands | Florian Roth |
| |
JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | ||
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | ||
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
APT_DeputyDog_Fexel | unknown | ThreatConnect Intelligence Research Team |
| |
Amplia_Security_Tool | Amplia Security Tool | unknown |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
REDLEAVES_DroppedFile_ImplantLoader_Starburn | Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT | USG |
| |
IMPLANT_5_v3 | XTunnel Implant by APT28 | US CERT |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | ||
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_NoCry | Yara detected NoCry Ransomware | Joe Security | ||
malware_red_leaves_memory | Red Leaves C&C left in memory, use with Volatility / Rekall | David Cannings |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth |
| |
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
PoisonIvy_3 | unknown | Kevin Breen <kevin@techanarchy.net> |
| |
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
webshell_asp_obfuscated | ASP webshell obfuscated | Arnim Rupp |
| |
webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp |
| |
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
korlia | unknown | Nick Hoffman |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
SUSP_XORed_Mozilla | Detects suspicious XORed keyword - Mozilla/5.0 | Florian Roth |
| |
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
LokiBot_Dropper_Packed_R11_Feb18 | Auto-generated rule - file scan copy.pdf.r11 | Florian Roth |
| |
HackTool_MSIL_SharPersist_2 | unknown | FireEye |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
xtremrat | Xtrem RAT v3.5 | Jean-Philippe Teissier / @Jipe_ |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | ||
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
WScriptShell_Case_Anomaly | Detects obfuscated wscript.shell commands | Florian Roth |
| |
JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | ||
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp |
| |
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Pupy_Backdoor | Detects Pupy backdoor | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Oilrig_IntelSecurityManager_macro | Detects OilRig malware | Eyal Sela (slightly modified by Florian Roth) |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | ||
APT9002Strings | 9002 Identifying Strings | Seth Hardy |
| |
RemCom_RemoteCommandExecution | Detects strings from RemCom tool | Florian Roth |
| |
JoeSecurity_RemComRemoteAdmin | Yara detected RemCom RemoteAdmin tool | Joe Security | ||
APT_Backdoor_Win_GoRat_Memory | Identifies GoRat malware in memory based on strings. | FireEye |
| |
APT_MAL_Sandworm_Exaramel_Configuration_Key | Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... | FR/ANSSI/SDO |
| |
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
TA17_293A_malware_1 | inveigh pen testing tools & related artifacts | US-CERT Code Analysis Team (modified by Florian Roth) |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
ZxShell_Jul17 | Detects a ZxShell - CN threat group | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
gh0st | unknown | https://github.com/jackcr/ |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_asp_obfuscated | ASP webshell obfuscated | Arnim Rupp |
| |
webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp |
| |
webshell_asp_sql | ASP webshell giving SQL access. Might also be a dual use tool. | Arnim Rupp |
| |
WScriptShell_Case_Anomaly | Detects obfuscated wscript.shell commands | Florian Roth |
| |
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
webshell_asp_obfuscated | ASP webshell obfuscated | Arnim Rupp |
| |
webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp |
| |
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth |
| |
SUSP_PowerShell_IEX_Download_Combo | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
Ammyy_Admin_AA_v3 | Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe | Florian Roth |
| |
JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Cobaltbaltstrike_Payload_Encoded | Detects CobaltStrike payloads | Avast Threat Intel Team |
| |
webshell_php_obfuscated_encoding | PHP webshell obfuscated by encoding | Arnim Rupp |
| |
webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp |
| |
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
SUSP_XORed_Mozilla | Detects suspicious XORed keyword - Mozilla/5.0 | Florian Roth |
| |
JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp |
| |
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Oilrig_IntelSecurityManager_macro | Detects OilRig malware | Eyal Sela (slightly modified by Florian Roth) |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Niros | Yara detected Niros Ransomware | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
webshell_asp_obfuscated | ASP webshell obfuscated | Arnim Rupp |
| |
webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp |
| |
Certutil_Decode_OR_Download | Certutil Decode | Florian Roth |
| |
CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye |
| |
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_php_base64_encoded_payloads | php webshell containing base64 encoded payload | Arnim Rupp |
| |
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp |
| |
webshell_php_by_string_known_webshell | Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions. | Arnim Rupp |
| |
JoeSecurity_hidden_tear | Yara detected HiddenTear ransomware | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | ||
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Buran | Yara detected Buran Ransomware | Joe Security | ||
JoeSecurity_Gocoder_3 | Yara detected Gocoder ransomware | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
PUA_CryptoMiner_Jan19_1 | Detects Crypto Miner strings | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth |
| |
Suspicious_PowerShell_WebDownload_1 | Detects suspicious PowerShell code that downloads from web sites | Florian Roth |
| |
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
GoldDragon_Aux_File | Detects export from Gold Dragon - February 2018 | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_MSIL_Load_Encrypted_Assembly | Yara detected MSIL_Load_Encrypted_Assembly | Joe Security | ||
CVE_2018_4878_0day_ITW | unknown | unknown |
| |
WScript_Shell_PowerShell_Combo | Detects malware from Middle Eastern campaign reported by Talos | Florian Roth |
| |
HackTool_Samples | Hacktool | unknown |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
MirageStrings | Mirage Identifying Strings | Seth Hardy |
| |
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
APT_MAL_Sandworm_Exaramel_Configuration_Key | Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... | FR/ANSSI/SDO |
| |
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
Tofu_Backdoor | Detects Tofu Trojan | Cylance |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Base64_PS1_Shellcode | Detects Base64 encoded PS1 Shellcode | Nick Carr, David Ledbetter |
| |
Pupy_Backdoor | Detects Pupy backdoor | Florian Roth |
| |
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
JoeSecurity_Meterpreter | Yara detected Meterpreter | Joe Security | ||
JoeSecurity_RevengeRAT | Yara detected RevengeRAT | Joe Security | ||
JoeSecurity_MetasploitPayload_3 | Yara detected Metasploit Payload | Joe Security | ||
JoeSecurity_EvilGnomeRC5Key | Yara detected Linux EvilGnome RC5 key | unknown | ||
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
WScriptShell_Case_Anomaly | Detects obfuscated wscript.shell commands | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
vanquish_2 | Webshells Auto-generated - file vanquish.exe | Yara Bulk Rule Generator by Florian Roth |
| |
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
webshell_asp_obfuscated | ASP webshell obfuscated | Arnim Rupp |
| |
webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp |
| |
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
Cobaltbaltstrike_Payload_Encoded | Detects CobaltStrike payloads | Avast Threat Intel Team |
| |
webshell_php_obfuscated_encoding | PHP webshell obfuscated by encoding | Arnim Rupp |
| |
webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp |
| |
webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye |
| |
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
APT_DeputyDog_Fexel | unknown | ThreatConnect Intelligence Research Team |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
Certutil_Decode_OR_Download | Certutil Decode | Florian Roth |
| |
JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye |
| |
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
Msfpayloads_msf_psh | Metasploit Payloads - file msf-psh.vba | Florian Roth |
| |
APT_Backdoor_Win_GoRat_Memory | Identifies GoRat malware in memory based on strings. | FireEye |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Trojan_Win32_PlaKeylog_B | Keylogger component | Microsoft |
| |
DeepPanda_htran_exe | Hack Deep Panda - htran-exe | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
clearlog | Detects Fireball malware - file clearlog.dll | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_Clop | Yara detected Clop Ransomware | Joe Security | ||
JoeSecurity_Cute | Yara detected Cute Ransomware | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
JoeSecurity_Growtopia | Yara detected Growtopia | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
SUSP_Script_Obfuscation_Char_Concat | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | ||
JoeSecurity_Clop | Yara detected Clop Ransomware | Joe Security | ||
JoeSecurity_Nemty | Yara detected Nemty Ransomware | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
HackTool_Samples | Hacktool | unknown |
| |
PS_AMSI_Bypass | Detects PowerShell AMSI Bypass | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
hacktool_macos_keylogger_logkext | LogKext is an open source keylogger for Mac OS X, a product of FSB software. | @mimeframe |
| |
Msfpayloads_msf_psh | Metasploit Payloads - file msf-psh.vba | Florian Roth |
| |
HKTL_Meterpreter_inMemory | Detects Meterpreter in-memory | netbiosX, Florian Roth |
| |
Base64_PS1_Shellcode | Detects Base64 encoded PS1 Shellcode | Nick Carr, David Ledbetter |
| |
SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth |
| |
Tofu_Backdoor | Detects Tofu Trojan | Cylance |
| |
Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth |
| |
Keylogger_CN_APT | Keylogger - generic rule for a Chinese variant | Florian Roth |
| |
Suspicious_PowerShell_WebDownload_1 | Detects suspicious PowerShell code that downloads from web sites | Florian Roth |
| |
ZxShell_Jul17 | Detects a ZxShell - CN threat group | Florian Roth |
| |
WindowsCredentialEditor | Windows Credential Editor | unknown |
| |
Amplia_Security_Tool | Amplia Security Tool | unknown |
| |
HackTool_Samples | Hacktool | unknown |
| |
Ammyy_Admin_AA_v3 | Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe | Florian Roth |
| |
RemCom_RemoteCommandExecution | Detects strings from RemCom tool | Florian Roth |
| |
SUSP_Script_Obfuscation_Char_Concat | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth |
| |
SUSP_PowerShell_IEX_Download_Combo | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth |
| |
Unidentified_Malware_Two | Unidentified Implant by APT29 | US CERT |
| |
APT_MAL_Sandworm_Exaramel_Configuration_Key | Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... | FR/ANSSI/SDO |
| |
Cobaltbaltstrike_Payload_Encoded | Detects CobaltStrike payloads | Avast Threat Intel Team |
| |
Pupy_Backdoor | Detects Pupy backdoor | Florian Roth |
| |
TA17_293A_malware_1 | inveigh pen testing tools & related artifacts | US-CERT Code Analysis Team (modified by Florian Roth) |
| |
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
HackTool_MSIL_SharPersist_2 | unknown | FireEye |
| |
CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye |
| |
APT_Backdoor_Win_GoRat_Memory | Identifies GoRat malware in memory based on strings. | FireEye |
| |
ChinaChopper_Generic | China Chopper Webshells - PHP and ASPX | Florian Roth |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_blackmoon | Yara detected BlackMoon Ransomware | Joe Security | ||
JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | ||
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_Buran | Yara detected Buran Ransomware | Joe Security | ||
JoeSecurity_Meterpreter | Yara detected Meterpreter | Joe Security | ||
JoeSecurity_Valak_1 | Yara detected Valak | Joe Security | ||
JoeSecurity_RevengeRAT | Yara detected RevengeRAT | Joe Security | ||
JoeSecurity_rapid | Yara detected Rapid ransomware | Joe Security | ||
JoeSecurity_AESCRYPTRansomware | Yara detected AESCRYPT Ransomware | Joe Security | ||
JoeSecurity_Vidar | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_gogoogle | Yara detected GoGoogle ransomware | Joe Security | ||
JoeSecurity_Ragnarok_ransomware | Yara detected Ragnarok ransomware | Joe Security | ||
JoeSecurity_Codoso_Ghost | Yara detected Codoso Ghost | Joe Security | ||
JoeSecurity_Axiom | Yara detected Axiom Ransomware | Joe Security | ||
JoeSecurity_Hancitor | Yara detected Hancitor | Joe Security | ||
JoeSecurity_rhino | Yara detected Rhino ransomware | Joe Security | ||
JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | ||
JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | ||
JoeSecurity_WormLocker | Yara detected WormLocker Ransomware | Joe Security | ||
JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
JoeSecurity_DarkSide | Yara detected DarkSide Ransomware | Joe Security | ||
JoeSecurity_ByteLocker | Yara detected ByteLocker Ransomware | Joe Security | ||
JoeSecurity_Arcane | Yara detected Arcane Stealer | Joe Security | ||
JoeSecurity_GenericDropper | Yara detected Generic Dropper | Joe Security | ||
JoeSecurity_Baldr | Yara detected Baldr | Joe Security | ||
JoeSecurity_TeslaCrypt | Yara detected TeslaCrypt Ransomware | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Clay | Yara detected Clay Ransomware | Joe Security | ||
JoeSecurity_OCT_RANSOMWARE | Yara detected OCT Ransomware | Joe Security | ||
JoeSecurity_Mailto | Yara detected Mailto ransomware | Joe Security | ||
JoeSecurity_Pony | Yara detected Pony | Joe Security | ||
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_MegaCortex | Yara detected MegaCortex Ransomware | Joe Security | ||
JoeSecurity_MiniRAT | Yara detected Mini RAT | Joe Security | ||
JoeSecurity_Clop | Yara detected Clop Ransomware | Joe Security | ||
JoeSecurity_crypt_ransomware | Yara detected Crypt ransomware | Joe Security | ||
JoeSecurity_Ouroboros_ransomware | Yara detected Ouroboros ransomware | Joe Security | ||
JoeSecurity_jcrypt | Yara detected Jcrypt Ransomware | Joe Security | ||
JoeSecurity_Niros | Yara detected Niros Ransomware | Joe Security | ||
JoeSecurity_LaZagne | Yara detected LaZagne password dumper | Joe Security | ||
JoeSecurity_Knot | Yara detected Knot Ransomware | Joe Security | ||
JoeSecurity_NoCry | Yara detected NoCry Ransomware | Joe Security | ||
JoeSecurity_Koadic | Yara detected Koadic | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_EvilGnomeRC5Key | Yara detected Linux EvilGnome RC5 key | unknown | ||
JoeSecurity_LockBit_ransomware | Yara detected LockBit ransomware | Joe Security | ||
JoeSecurity_Zeppelin | Yara detected Zeppelin Ransomware | Joe Security | ||
JoeSecurity_Ryuk | Yara detected Ryuk ransomware | Joe Security | ||
JoeSecurity_Artemon | Yara detected Artemon Ransomware | Joe Security | ||
JoeSecurity_Delta | Yara detected Delta Ransomware | Joe Security | ||
JoeSecurity_MSIL_Load_Encrypted_Assembly | Yara detected MSIL_Load_Encrypted_Assembly | Joe Security | ||
JoeSecurity_Evrial | Yara detected Evrial Stealer | Joe Security | ||
JoeSecurity_Nemty | Yara detected Nemty Ransomware | Joe Security | ||
JoeSecurity_Avaddon | Yara detected Avaddon Ransomware | Joe Security | ||
JoeSecurity_CryLock | Yara detected CryLock ransomware | Joe Security | ||
JoeSecurity_Growtopia | Yara detected Growtopia | Joe Security | ||
JoeSecurity_lockfile | Yara detected LOCKFILE ransomware | Joe Security | ||
JoeSecurity_Ransomware32 | Yara detected Ransomware32 | Joe Security | ||
JoeSecurity_Winexe_tool | Yara detected Winexe tool | Joe Security | ||
JoeSecurity_blackmatter | Yara detected BLACKMatter Ransomware | Joe Security | ||
JoeSecurity_Marvel | Yara detected Marvel Ransomware | Joe Security | ||
JoeSecurity_Chaos | Yara detected Chaos Ransomware | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_ransomware_0x0M4R | Yara detected 0x0M4R Ransomware | Joe Security | ||
JoeSecurity_NetWire_1 | Yara detected NetWire RAT | Joe Security | ||
JoeSecurity_Gocoder_3 | Yara detected Gocoder ransomware | Joe Security | ||
JoeSecurity_WannaRen | Yara detected WannaRen ransomware | Joe Security | ||
JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
JoeSecurity_Gocoder | Yara detected Gocoder ransomware | Joe Security | ||
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
JoeSecurity_LimeRAT | Yara detected LimeRAT | Joe Security | ||
JoeSecurity_Parallax_RAT | Yara detected Parallax RAT | Joe Security | ||
JoeSecurity_Nephilim | Yara detected Nephilim Ransomware | Joe Security | ||
JoeSecurity_babuk | Yara detected Babuk Ransomware | Joe Security | ||
JoeSecurity_Mimikatz_1 | Yara detected Mimikatz | Joe Security | ||
JoeSecurity_Betabot | Yara detected Betabot | Joe Security | ||
JoeSecurity_Conti_ransomware | Yara detected Conti ransomware | Joe Security | ||
JoeSecurity_vhd | Yara detected VHD ransomware | Joe Security | ||
JoeSecurity_Netwalker | Yara detected Netwalker ransomware | Joe Security | ||
JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | ||
JoeSecurity_RekenSom | Yara detected RekenSom ransomware | Joe Security | ||
JoeSecurity_RemComRemoteAdmin | Yara detected RemCom RemoteAdmin tool | Joe Security | ||
JoeSecurity_Shellcode_Injector | Yara detected generic Shellcode Injector | Joe Security | ||
JoeSecurity_lazparking | Yara detected LazParking Ransomware | Joe Security | ||
JoeSecurity_Jigsaw | Yara detected Jigsaw | Joe Security | ||
JoeSecurity_WinSecDisabler | Yara detected Windows Security Disabler | Joe Security | ||
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
JoeSecurity_GuLoader | Yara detected GuLoader | Joe Security | ||
JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | ||
JoeSecurity_Snatch | Yara detected Snatch Ransomware | Joe Security | ||
JoeSecurity_Cute | Yara detected Cute Ransomware | Joe Security | ||
JoeSecurity_apis | Yara detected Apis Ransomware | Joe Security | ||
JoeSecurity_fiesta | Yara detected Fiesta Ransomware | Joe Security | ||
JoeSecurity_CryptoWall | Yara detected CryptoWall ransomware | Joe Security | ||
JoeSecurity_mock | Yara detected Mock Ransomware | Joe Security | ||
JoeSecurity_Amnesia | Yara detected Amnesia ransomware | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_PornRansomware | Yara detected Porn Ransomware | Joe Security | ||
JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
JoeSecurity_RegretLocker | Yara detected RegretLocker Ransomware | Joe Security | ||
JoeSecurity_Ransomware_Generic | Yara detected Ransomware_Generic | Joe Security | ||
JoeSecurity_DiscordTokenStealer | Yara detected Discord Token Stealer | Joe Security | ||
JoeSecurity_Zeoticus_ransomware | Yara detected Zeoticus ransomware | Joe Security | ||
JoeSecurity_Thanos | Yara detected Thanos ransomware | Joe Security | ||
JoeSecurity_covid19 | Yara detected Covid19 Ransomware | Joe Security | ||
JoeSecurity_Cobra_Locker | Yara detected Cobra Locker ransomware | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_PasteDownloader | Yara detected PasteDownloader | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_hidden_tear | Yara detected HiddenTear ransomware | Joe Security | ||
JoeSecurity_VB6DownloaderGeneric | Yara detected VB6 Downloader Generic | Joe Security | ||
JoeSecurity_Predator | Yara detected Predator | Joe Security | ||
vanquish_2 | Webshells Auto-generated - file vanquish.exe | Yara Bulk Rule Generator by Florian Roth |
| |
fe_cpe_ms17_010_ransomware | probable petya ransomware using eternalblue, wmic, psexec | ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick |
| |
APT9002Strings | 9002 Identifying Strings | Seth Hardy |
| |
APT_DeputyDog_Fexel | unknown | ThreatConnect Intelligence Research Team |
| |
MirageStrings | Mirage Identifying Strings | Seth Hardy |
| |
NanoCore | unknown | Kevin Breen <kevin@techanarchy.net> |
| |
gh0st | unknown | https://github.com/jackcr/ |
| |
gholeeV1 | unknown | unknown |
| |
MW_gholee_v1 | http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html | unknown |
| |
NetWiredRC_B | NetWiredRC | Jean-Philippe Teissier / @Jipe_ |
| |
PoisonIvy_3 | unknown | Kevin Breen <kevin@techanarchy.net> |
| |
CVE_2018_4878_0day_ITW | unknown | unknown |
| |
Click to see the 579 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
clearlog | Detects Fireball malware - file clearlog.dll | Florian Roth |
| |
dump_tool | unknown | @patrickrolsen |
| |
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
dump_tool | unknown | @patrickrolsen |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
MAL_Turla_Agent_BTZ | Detects Turla Agent.BTZ | Florian Roth |
| |
dump_tool | unknown | @patrickrolsen |
| |
Mimikatz_Strings | Detects Mimikatz strings | Florian Roth |
| |
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
APT_MAL_Sandworm_Exaramel_Configuration_Key | Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... | FR/ANSSI/SDO |
| |
APT_APT29_sorefang_modify_alphabet_custom_encode | Rule to detect SoreFang based on arguments passed into custom encoding algorithm function | NCSC |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
Trojan_Win32_PlaKeylog_B | Keylogger component | Microsoft |
| |
APT_DNSpionage_Karkoff_Malware_Apr19_1 | Detects DNSpionage Karkoff malware | Florian Roth |
| |
DeepPanda_htran_exe | Hack Deep Panda - htran-exe | Florian Roth |
| |
SUSP_DropperBackdoor_Keywords | Detects suspicious keywords that indicate a backdoor | Florian Roth |
| |
APT_APT41_POISONPLUG | Detects APT41 malware POISONPLUG | Florian Roth |
| |
APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 | Detects HOPLIGHT malware used by HiddenCobra APT group | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
dump_tool | unknown | @patrickrolsen |
| |
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
hacktool_macos_keylogger_logkext | LogKext is an open source keylogger for Mac OS X, a product of FSB software. | @mimeframe |
| |
Mimikatz_Strings | Detects Mimikatz strings | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
XOR_4byte_Key | Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) | Florian Roth |
| |
Mimikatz_Strings | Detects Mimikatz strings | Florian Roth |
| |
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | Florian Roth |
| |
HackTool_Samples | Hacktool | unknown |
| |
PS_AMSI_Bypass | Detects PowerShell AMSI Bypass | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth |
| |
APT_Backdoor_Win_GoRat_Memory | Identifies GoRat malware in memory based on strings. | FireEye |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
APT9002Strings | 9002 Identifying Strings | Seth Hardy |
| |
Suspicious_PowerShell_WebDownload_1 | Detects suspicious PowerShell code that downloads from web sites | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
MiniRAT_Gen_1 | Detects Mini RAT malware | Florian Roth |
| |
SUSP_PDB_Strings_Keylogger_Backdoor | Detects PDB strings used in backdoors or keyloggers | Florian Roth |
| |
MAL_Turla_Agent_BTZ | Detects Turla Agent.BTZ | Florian Roth |
| |
dump_tool | unknown | @patrickrolsen |
| |
SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth |
| |
IMPLANT_4_v5 | BlackEnergy / Voodoo Bear Implant by APT28 | US CERT |
| |
Derusbi_Kernel_Driver_WD_UDFS | Detects Derusbi Kernel Driver | Florian Roth |
| |
SUSP_XORed_Mozilla | Detects suspicious XORed keyword - Mozilla/5.0 | Florian Roth |
| |
Msfpayloads_msf_10 | Metasploit Payloads - file msf.exe | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
dump_tool | unknown | @patrickrolsen |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
APT_MAL_Sandworm_Exaramel_Configuration_Key | Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... | FR/ANSSI/SDO |
| |
APT_APT29_sorefang_modify_alphabet_custom_encode | Rule to detect SoreFang based on arguments passed into custom encoding algorithm function | NCSC |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
SUSP_Microsoft_7z_SFX_Combo | Detects a suspicious file that has a Microsoft copyright and is a 7z SFX | Florian Roth |
| |
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
Msfpayloads_msf_10 | Metasploit Payloads - file msf.exe | Florian Roth |
| |
Oilrig_IntelSecurityManager | Detects OilRig malware | Eyal Sela |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
APT_MAL_Sandworm_Exaramel_Configuration_Key | Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... | FR/ANSSI/SDO |
| |
APT_APT29_sorefang_modify_alphabet_custom_encode | Rule to detect SoreFang based on arguments passed into custom encoding algorithm function | NCSC |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | Florian Roth |
| |
HackTool_MSIL_SharPersist_2 | unknown | FireEye |
| |
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
dump_tool | unknown | @patrickrolsen |
| |
APT_MAL_Sandworm_Exaramel_Configuration_Key | Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... | FR/ANSSI/SDO |
| |
APT_APT29_sorefang_modify_alphabet_custom_encode | Rule to detect SoreFang based on arguments passed into custom encoding algorithm function | NCSC |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | Florian Roth |
| |
HackTool_Samples | Hacktool | unknown |
| |
PS_AMSI_Bypass | Detects PowerShell AMSI Bypass | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth |
| |
APT_Backdoor_Win_GoRat_Memory | Identifies GoRat malware in memory based on strings. | FireEye |
| |
Oilrig_IntelSecurityManager_macro | Detects OilRig malware | Eyal Sela (slightly modified by Florian Roth) |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
MiniRAT_Gen_1 | Detects Mini RAT malware | Florian Roth |
| |
SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth |
| |
malware_sakula_xorloop | XOR loops from Sakula malware | David Cannings |
| |
RAT_Sakula | Detects Sakula v1.0 RAT | Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings |
| |
HackTool_MSIL_SharpHound_3 | The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. | FireEye |
| |
HKTL_NET_GUID_SharpHound3 | Detects c# red/black-team tools via typelibguid | Arnim Rupp |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_MiniRAT | Yara detected Mini RAT | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Tofu_Backdoor | Detects Tofu Trojan | Cylance |
| |
Oilrig_IntelSecurityManager | Detects OilRig malware | Eyal Sela |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
MAL_Turla_Agent_BTZ | Detects Turla Agent.BTZ | Florian Roth |
| |
dump_tool | unknown | @patrickrolsen |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
Suspicious_PowerShell_WebDownload_1 | Detects suspicious PowerShell code that downloads from web sites | Florian Roth |
| |
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Winexe_tool | Yara detected Winexe tool | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
SUSP_Microsoft_7z_SFX_Combo | Detects a suspicious file that has a Microsoft copyright and is a 7z SFX | Florian Roth |
| |
MiniRAT_Gen_1 | Detects Mini RAT malware | Florian Roth |
| |
SUSP_PDB_Strings_Keylogger_Backdoor | Detects PDB strings used in backdoors or keyloggers | Florian Roth |
| |
MAL_Turla_Agent_BTZ | Detects Turla Agent.BTZ | Florian Roth |
| |
dump_tool | unknown | @patrickrolsen |
| |
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
dump_tool | unknown | @patrickrolsen |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
dump_tool | unknown | @patrickrolsen |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
Tofu_Backdoor | Detects Tofu Trojan | Cylance |
| |
Trojan_Win32_PlaKeylog_B | Keylogger component | Microsoft |
| |
APT_DNSpionage_Karkoff_Malware_Apr19_1 | Detects DNSpionage Karkoff malware | Florian Roth |
| |
DeepPanda_htran_exe | Hack Deep Panda - htran-exe | Florian Roth |
| |
SUSP_DropperBackdoor_Keywords | Detects suspicious keywords that indicate a backdoor | Florian Roth |
| |
APT_APT41_POISONPLUG | Detects APT41 malware POISONPLUG | Florian Roth |
| |
APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 | Detects HOPLIGHT malware used by HiddenCobra APT group | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
hacktool_macos_keylogger_logkext | LogKext is an open source keylogger for Mac OS X, a product of FSB software. | @mimeframe |
| |
Mimikatz_Strings | Detects Mimikatz strings | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
dump_tool | unknown | @patrickrolsen |
| |
Tofu_Backdoor | Detects Tofu Trojan | Cylance |
| |
SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth |
| |
APT_Backdoor_Win_GoRat_Memory | Identifies GoRat malware in memory based on strings. | FireEye |
| |
Tofu_Backdoor | Detects Tofu Trojan | Cylance |
| |
dump_tool | unknown | @patrickrolsen |
| |
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | Florian Roth |
| |
HackTool_Samples | Hacktool | unknown |
| |
PS_AMSI_Bypass | Detects PowerShell AMSI Bypass | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
SUSP_RANSOMWARE_Indicator_Jul20 | Detects ransomware indicator | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | ||
JoeSecurity_Baldr | Yara detected Baldr | Joe Security | ||
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_Knot | Yara detected Knot Ransomware | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Nemty | Yara detected Nemty Ransomware | Joe Security | ||
JoeSecurity_Nephilim | Yara detected Nephilim Ransomware | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
xtremrat | Xtrem RAT v3.5 | Jean-Philippe Teissier / @Jipe_ |
| |
korlia | unknown | Nick Hoffman |
| |
webshell_asp_generic_eval_on_input | Generic ASP webshell which uses any eval/exec function directly on user input | Arnim Rupp |
| |
TA17_293A_malware_1 | inveigh pen testing tools & related artifacts | US-CERT Code Analysis Team (modified by Florian Roth) |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
hacktool_macos_keylogger_logkext | LogKext is an open source keylogger for Mac OS X, a product of FSB software. | @mimeframe |
| |
Mimikatz_Strings | Detects Mimikatz strings | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Winexe_tool | Yara detected Winexe tool | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Winexe_tool | Yara detected Winexe tool | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Winexe_tool | Yara detected Winexe tool | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
APT_MAL_Sandworm_Exaramel_Configuration_Key | Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... | FR/ANSSI/SDO |
| |
APT_APT29_sorefang_modify_alphabet_custom_encode | Rule to detect SoreFang based on arguments passed into custom encoding algorithm function | NCSC |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | Florian Roth |
| |
SUSP_RANSOMWARE_Indicator_Jul20 | Detects ransomware indicator | Florian Roth |
| |
APT_PupyRAT_PY | Detects Pupy RAT | Florian Roth |
| |
Pupy_Backdoor | Detects Pupy backdoor | Florian Roth |
| |
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
APT_MAL_Sandworm_Exaramel_Configuration_Key | Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... | FR/ANSSI/SDO |
| |
APT_APT29_sorefang_modify_alphabet_custom_encode | Rule to detect SoreFang based on arguments passed into custom encoding algorithm function | NCSC |
| |
SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth |
| |
Gen_Net_LocalGroup_Administrators_Add_Command | Detects an executable that contains a command to add a user account to the local administrators group | Florian Roth |
| |
APT_DeputyDog_Fexel | unknown | ThreatConnect Intelligence Research Team |
| |
SUSP_Microsoft_7z_SFX_Combo | Detects a suspicious file that has a Microsoft copyright and is a 7z SFX | Florian Roth |
| |
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
TA17_293A_malware_1 | inveigh pen testing tools & related artifacts | US-CERT Code Analysis Team (modified by Florian Roth) |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
CoinMiner_Strings | Detects mining pool protocol string in Executable | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
clearlog | Detects Fireball malware - file clearlog.dll | Florian Roth |
| |
Gen_Net_LocalGroup_Administrators_Add_Command | Detects an executable that contains a command to add a user account to the local administrators group | Florian Roth |
| |
Trojan_Win32_PlaKeylog_B | Keylogger component | Microsoft |
| |
APT_DNSpionage_Karkoff_Malware_Apr19_1 | Detects DNSpionage Karkoff malware | Florian Roth |
| |
DeepPanda_htran_exe | Hack Deep Panda - htran-exe | Florian Roth |
| |
SUSP_DropperBackdoor_Keywords | Detects suspicious keywords that indicate a backdoor | Florian Roth |
| |
APT_APT41_POISONPLUG | Detects APT41 malware POISONPLUG | Florian Roth |
| |
APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 | Detects HOPLIGHT malware used by HiddenCobra APT group | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
MiniRAT_Gen_1 | Detects Mini RAT malware | Florian Roth |
| |
SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth |
| |
malware_sakula_xorloop | XOR loops from Sakula malware | David Cannings |
| |
RAT_Sakula | Detects Sakula v1.0 RAT | Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings |
| |
HackTool_MSIL_SharpHound_3 | The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. | FireEye |
| |
HKTL_NET_GUID_SharpHound3 | Detects c# red/black-team tools via typelibguid | Arnim Rupp |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_MiniRAT | Yara detected Mini RAT | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
MiniRAT_Gen_1 | Detects Mini RAT malware | Florian Roth |
| |
SUSP_RANSOMWARE_Indicator_Jul20 | Detects ransomware indicator | Florian Roth |
| |
malware_sakula_xorloop | XOR loops from Sakula malware | David Cannings |
| |
HackTool_Samples | Hacktool | unknown |
| |
RAT_Sakula | Detects Sakula v1.0 RAT | Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings |
| |
HackTool_MSIL_SharpHound_3 | The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. | FireEye |
| |
HKTL_NET_GUID_SharpHound3 | Detects c# red/black-team tools via typelibguid | Arnim Rupp |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_MiniRAT | Yara detected Mini RAT | Joe Security | ||
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
MirageStrings | Mirage Identifying Strings | Seth Hardy |
| |
Suspicious_PowerShell_WebDownload_1 | Detects suspicious PowerShell code that downloads from web sites | Florian Roth |
| |
GhostDragon_Gh0stRAT | Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report | Florian Roth |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
SUSP_RANSOMWARE_Indicator_Jul20 | Detects ransomware indicator | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | ||
JoeSecurity_Baldr | Yara detected Baldr | Joe Security | ||
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_Knot | Yara detected Knot Ransomware | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Nemty | Yara detected Nemty Ransomware | Joe Security | ||
JoeSecurity_Nephilim | Yara detected Nephilim Ransomware | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
xtremrat | Xtrem RAT v3.5 | Jean-Philippe Teissier / @Jipe_ |
| |
korlia | unknown | Nick Hoffman |
| |
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Winexe_tool | Yara detected Winexe tool | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | Florian Roth |
| |
SUSP_PDB_Path_Keywords | Detects suspicious PDB paths | Florian Roth |
| |
Certutil_Decode_OR_Download | Certutil Decode | Florian Roth |
| |
Greenbug_Malware_4 | Detects ISMDoor Backdoor | Florian Roth |
| |
JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | ||
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Winexe_tool | Yara detected Winexe tool | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_Allatori_JAR_Obfuscator | Yara detected Allatori_JAR_Obfuscator | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Winexe_tool | Yara detected Winexe tool | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
Unspecified_Malware_Sep1_A1 | Detects malware from DrqgonFly APT report | Florian Roth | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
MiniRAT_Gen_1 | Detects Mini RAT malware | Florian Roth |
| |
HKTL_Meterpreter_inMemory | Detects Meterpreter in-memory | netbiosX, Florian Roth |
| |
SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth |
| |
ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | Florian Roth |
| |
REDLEAVES_DroppedFile_ImplantLoader_Starburn | Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT | USG |
| |
ZxShell_Jul17 | Detects a ZxShell - CN threat group | Florian Roth |
| |
malware_sakula_xorloop | XOR loops from Sakula malware | David Cannings |
| |
IMPLANT_4_v5 | BlackEnergy / Voodoo Bear Implant by APT28 | US CERT |
| |
IMPLANT_5_v3 | XTunnel Implant by APT28 | US CERT |
| |
HKTL_NET_NAME_SharPyShell | Detects .NET red/black-team tools via name | Arnim Rupp |
| |
HKTL_NET_NAME_DotNetInject | Detects .NET red/black-team tools via name | Arnim Rupp |
| |
SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp |
| |
HKTL_NET_NAME_ibombshell | Detects .NET red/black-team tools via name | Arnim Rupp |
| |
RAT_Sakula | Detects Sakula v1.0 RAT | Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings |
| |
TA17_293A_malware_1 | inveigh pen testing tools & related artifacts | US-CERT Code Analysis Team (modified by Florian Roth) |
| |
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
Mimikatz_Strings | Detects Mimikatz strings | Florian Roth |
| |
HackTool_MSIL_SharpHound_3 | The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. | FireEye |
| |
HKTL_NET_GUID_CsharpAmsiBypass | Detects c# red/black-team tools via typelibguid | Arnim Rupp |
| |
HKTL_NET_GUID_SharpHound3 | Detects c# red/black-team tools via typelibguid | Arnim Rupp |
| |
ROKRAT_Nov17_1 | Detects ROKRAT malware | Florian Roth |
| |
JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | ||
JoeSecurity_Buran | Yara detected Buran Ransomware | Joe Security | ||
JoeSecurity_Vidar | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_gogoogle | Yara detected GoGoogle ransomware | Joe Security | ||
JoeSecurity_Codoso_Ghost | Yara detected Codoso Ghost | Joe Security | ||
JoeSecurity_Hancitor | Yara detected Hancitor | Joe Security | ||
JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | ||
JoeSecurity_ByteLocker | Yara detected ByteLocker Ransomware | Joe Security | ||
JoeSecurity_GenericDropper | Yara detected Generic Dropper | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Mailto | Yara detected Mailto ransomware | Joe Security | ||
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_MiniRAT | Yara detected Mini RAT | Joe Security | ||
JoeSecurity_Clop | Yara detected Clop Ransomware | Joe Security | ||
JoeSecurity_NoCry | Yara detected NoCry Ransomware | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Artemon | Yara detected Artemon Ransomware | Joe Security | ||
JoeSecurity_Nemty | Yara detected Nemty Ransomware | Joe Security | ||
JoeSecurity_CryLock | Yara detected CryLock ransomware | Joe Security | ||
JoeSecurity_Gocoder_3 | Yara detected Gocoder ransomware | Joe Security | ||
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
JoeSecurity_Mimikatz_1 | Yara detected Mimikatz | Joe Security | ||
JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | ||
JoeSecurity_Shellcode_Injector | Yara detected generic Shellcode Injector | Joe Security | ||
JoeSecurity_lazparking | Yara detected LazParking Ransomware | Joe Security | ||
JoeSecurity_Jigsaw | Yara detected Jigsaw | Joe Security | ||
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_Cobra_Locker | Yara detected Cobra Locker ransomware | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_PasteDownloader | Yara detected PasteDownloader | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
JoeSecurity_hidden_tear | Yara detected HiddenTear ransomware | Joe Security | ||
malware_red_leaves_memory | Red Leaves C&C left in memory, use with Volatility / Rekall | David Cannings |
| |
gh0st | unknown | https://github.com/jackcr/ |
| |
NetWiredRC_B | NetWiredRC | Jean-Philippe Teissier / @Jipe_ |
| |
MiniRAT_Gen_1 | Detects Mini RAT malware | Florian Roth |
| |
HKTL_Meterpreter_inMemory | Detects Meterpreter in-memory | netbiosX, Florian Roth |
| |
SUSP_PowerShell_Caret_Obfuscation_2 | Detects powershell keyword obfuscated with carets | Florian Roth |
| |
ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | Florian Roth |
| |
REDLEAVES_DroppedFile_ImplantLoader_Starburn | Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT | USG |
| |
ZxShell_Jul17 | Detects a ZxShell - CN threat group | Florian Roth |
| |
malware_sakula_xorloop | XOR loops from Sakula malware | David Cannings |
| |
IMPLANT_4_v5 | BlackEnergy / Voodoo Bear Implant by APT28 | US CERT |
| |
IMPLANT_5_v3 | XTunnel Implant by APT28 | US CERT |
| |
HKTL_NET_NAME_SharPyShell | Detects .NET red/black-team tools via name | Arnim Rupp |
| |
HKTL_NET_NAME_DotNetInject | Detects .NET red/black-team tools via name | Arnim Rupp |
| |
SUSP_NET_NAME_ConfuserEx | Detects ConfuserEx packed file | Arnim Rupp |
| |
HKTL_NET_NAME_ibombshell | Detects .NET red/black-team tools via name | Arnim Rupp |
| |
RAT_Sakula | Detects Sakula v1.0 RAT | Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings |
| |
TA17_293A_malware_1 | inveigh pen testing tools & related artifacts | US-CERT Code Analysis Team (modified by Florian Roth) |
| |
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
Mimikatz_Strings | Detects Mimikatz strings | Florian Roth |
| |
HackTool_MSIL_SharpHound_3 | The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. | FireEye |
| |
HKTL_NET_GUID_CsharpAmsiBypass | Detects c# red/black-team tools via typelibguid | Arnim Rupp |
| |
HKTL_NET_GUID_SharpHound3 | Detects c# red/black-team tools via typelibguid | Arnim Rupp |
| |
ROKRAT_Nov17_1 | Detects ROKRAT malware | Florian Roth |
| |
JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | ||
JoeSecurity_Buran | Yara detected Buran Ransomware | Joe Security | ||
JoeSecurity_Vidar | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_gogoogle | Yara detected GoGoogle ransomware | Joe Security | ||
JoeSecurity_Codoso_Ghost | Yara detected Codoso Ghost | Joe Security | ||
JoeSecurity_Hancitor | Yara detected Hancitor | Joe Security | ||
JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | ||
JoeSecurity_ByteLocker | Yara detected ByteLocker Ransomware | Joe Security | ||
JoeSecurity_GenericDropper | Yara detected Generic Dropper | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Mailto | Yara detected Mailto ransomware | Joe Security | ||
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_MiniRAT | Yara detected Mini RAT | Joe Security | ||
JoeSecurity_Clop | Yara detected Clop Ransomware | Joe Security | ||
JoeSecurity_NoCry | Yara detected NoCry Ransomware | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Artemon | Yara detected Artemon Ransomware | Joe Security | ||
JoeSecurity_Nemty | Yara detected Nemty Ransomware | Joe Security | ||
JoeSecurity_CryLock | Yara detected CryLock ransomware | Joe Security | ||
JoeSecurity_Gocoder_3 | Yara detected Gocoder ransomware | Joe Security | ||
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
JoeSecurity_Mimikatz_1 | Yara detected Mimikatz | Joe Security | ||
JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | ||
JoeSecurity_Shellcode_Injector | Yara detected generic Shellcode Injector | Joe Security | ||
JoeSecurity_lazparking | Yara detected LazParking Ransomware | Joe Security | ||
JoeSecurity_Jigsaw | Yara detected Jigsaw | Joe Security | ||
JoeSecurity_GhostRat | Yara detected GhostRat | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_Cobra_Locker | Yara detected Cobra Locker ransomware | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_PasteDownloader | Yara detected PasteDownloader | Joe Security | ||
JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
JoeSecurity_hidden_tear | Yara detected HiddenTear ransomware | Joe Security | ||
malware_red_leaves_memory | Red Leaves C&C left in memory, use with Volatility / Rekall | David Cannings |
| |
gh0st | unknown | https://github.com/jackcr/ |
| |
NetWiredRC_B | NetWiredRC | Jean-Philippe Teissier / @Jipe_ |
| |
HKTL_Meterpreter_inMemory | Detects Meterpreter in-memory | netbiosX, Florian Roth |
| |
ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | Florian Roth |
| |
REDLEAVES_DroppedFile_ImplantLoader_Starburn | Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT | USG |
| |
APT_PupyRAT_PY | Detects Pupy RAT | Florian Roth |
| |
SUSP_Script_Obfuscation_Char_Concat | Detects strings found in sample from CN group repo leak in October 2018 | Florian Roth |
| |
SUSP_PDB_Path_Keywords | Detects suspicious PDB paths | Florian Roth |
| |
IMPLANT_4_v5 | BlackEnergy / Voodoo Bear Implant by APT28 | US CERT |
| |
IMPLANT_5_v3 | XTunnel Implant by APT28 | US CERT |
| |
MAL_AirdViper_Sample_Apr18_1 | Detects Arid Viper malware sample | Florian Roth |
| |
HKTL_NET_NAME_AmsiBypass | Detects .NET red/black-team tools via name | Arnim Rupp |
| |
Pupy_Backdoor | Detects Pupy backdoor | Florian Roth |
| |
TA17_293A_malware_1 | inveigh pen testing tools & related artifacts | US-CERT Code Analysis Team (modified by Florian Roth) |
| |
Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth |
| |
Mimikatz_Strings | Detects Mimikatz strings | Florian Roth |
| |
CredTheft_MSIL_ADPassHunt_2 | unknown | FireEye |
| |
Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Florian Roth |
| |
ROKRAT_Nov17_1 | Detects ROKRAT malware | Florian Roth |
| |
JoeSecurity_cerber | Yara detected Cerber ransomware | Joe Security | ||
JoeSecurity_Buran | Yara detected Buran Ransomware | Joe Security | ||
JoeSecurity_gogoogle | Yara detected GoGoogle ransomware | Joe Security | ||
JoeSecurity_Hancitor | Yara detected Hancitor | Joe Security | ||
JoeSecurity_Voidcrypt | Yara detected Voidcrypt Ransomware | Joe Security | ||
JoeSecurity_GenericDropper | Yara detected Generic Dropper | Joe Security | ||
JoeSecurity_Xmrig | Yara detected Xmrig cryptocurrency miner | Joe Security | ||
JoeSecurity_Mailto | Yara detected Mailto ransomware | Joe Security | ||
JoeSecurity_Cryptolocker | Yara detected Cryptolocker ransomware | Joe Security | ||
JoeSecurity_MegaCortex | Yara detected MegaCortex Ransomware | Joe Security | ||
JoeSecurity_NoCry | Yara detected NoCry Ransomware | Joe Security | ||
JoeSecurity_Nemty | Yara detected Nemty Ransomware | Joe Security | ||
JoeSecurity_Avaddon | Yara detected Avaddon Ransomware | Joe Security | ||
JoeSecurity_CryLock | Yara detected CryLock ransomware | Joe Security | ||
JoeSecurity_Marvel | Yara detected Marvel Ransomware | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_Gocoder_3 | Yara detected Gocoder ransomware | Joe Security | ||
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
JoeSecurity_Mimikatz_1 | Yara detected Mimikatz | Joe Security | ||
JoeSecurity_bitcoinminer | Yara detected BitCoin Miner | Joe Security | ||
JoeSecurity_Shellcode_Injector | Yara detected generic Shellcode Injector | Joe Security | ||
JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | ||
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_Coinhive | Yara detected Coinhive miner | Joe Security | ||
JoeSecurity_hidden_tear | Yara detected HiddenTear ransomware | Joe Security | ||
malware_red_leaves_memory | Red Leaves C&C left in memory, use with Volatility / Rekall | David Cannings |
| |
PoisonIvy_3 | unknown | Kevin Breen <kevin@techanarchy.net> |
| |
Click to see the 449 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |