00000000.00000003.272269605.000001E33FAF9000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xb98:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xba8:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x1014:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0x1024:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0x14a4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x14c4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x14d4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x14e4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x14f4:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x1504:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0x1514:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0x1524:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0x1544:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0x1554:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0x1574:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x1584:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0x1594:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0x15a4:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x15c4:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0x1670:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0x1680:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
0000000C.00000002.799354104.0000010D37867000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x84d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8872:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x332e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x33682:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15c15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x40a25:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x156c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x404d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15d17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x40b27:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x15e8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x40c9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x928a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x3409a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1493c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x3f74c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa002:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x34e12:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x46077:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1c36a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.283279518.000001E33FDAF000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x180e9:$sqlite3step: 68 34 1C 7B E1
- 0x181fc:$sqlite3step: 68 34 1C 7B E1
- 0x42ef9:$sqlite3step: 68 34 1C 7B E1
- 0x4300c:$sqlite3step: 68 34 1C 7B E1
- 0x18118:$sqlite3text: 68 38 2A 90 C5
- 0x1823d:$sqlite3text: 68 38 2A 90 C5
- 0x42f28:$sqlite3text: 68 38 2A 90 C5
- 0x4304d:$sqlite3text: 68 38 2A 90 C5
- 0x1812b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18253:$sqlite3blob: 68 53 D8 7F 8C
- 0x42f3b:$sqlite3blob: 68 53 D8 7F 8C
- 0x43063:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000000.368626097.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000004.00000000.368626097.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000004.00000000.368626097.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x8819:$sqlite3step: 68 34 1C 7B E1
- 0x892c:$sqlite3step: 68 34 1C 7B E1
- 0x8848:$sqlite3text: 68 38 2A 90 C5
- 0x896d:$sqlite3text: 68 38 2A 90 C5
- 0x885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x8983:$sqlite3blob: 68 53 D8 7F 8C
|
00000002.00000002.441172214.0000000001750000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000002.441172214.0000000001750000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000002.441172214.0000000001750000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.274118821.000001E33FAF9000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xb98:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xba8:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x1014:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0x1024:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0x14a4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x14c4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x14d4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x14e4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x14f4:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x1504:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0x1514:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0x1524:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0x1544:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0x1554:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0x1574:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x1584:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0x1594:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0x15a4:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x15c4:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0x1670:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0x1680:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000012.00000002.817738228.0000000005407000.00000004.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000002.817738228.0000000005407000.00000004.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x9578:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x9912:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x16761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x16f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0xa32a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x159dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb0a2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1c307:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1d40a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.817738228.0000000005407000.00000004.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x19189:$sqlite3step: 68 34 1C 7B E1
- 0x1929c:$sqlite3step: 68 34 1C 7B E1
- 0x191b8:$sqlite3text: 68 38 2A 90 C5
- 0x192dd:$sqlite3text: 68 38 2A 90 C5
- 0x191cb:$sqlite3blob: 68 53 D8 7F 8C
- 0x192f3:$sqlite3blob: 68 53 D8 7F 8C
|
00000012.00000002.787729752.0000000000B50000.00000004.00000800.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000002.787729752.0000000000B50000.00000004.00000800.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.787729752.0000000000B50000.00000004.00000800.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000001.00000002.787481597.000001B744A45000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000028.00000000.781550005.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000028.00000000.781550005.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000028.00000000.781550005.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
0000000F.00000003.352632654.0000023E30CBD000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.273757086.000001E33FAF2000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x7b98:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x7ba8:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x8014:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0x8024:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0x84a4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x84c4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x84d4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x84e4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x84f4:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x8504:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0x8514:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0x8524:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0x8544:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0x8554:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0x8574:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x8584:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0x8594:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0x85a4:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x85c4:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0x8670:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0x8680:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000002.00000000.283050957.00000000000B1000.00000020.00000001.01000000.00000005.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000000.283050957.00000000000B1000.00000020.00000001.01000000.00000005.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000000.283050957.00000000000B1000.00000020.00000001.01000000.00000005.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000012.00000002.806764391.0000000004A20000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000002.806764391.0000000004A20000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.806764391.0000000004A20000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.272435860.000001E33FAF9000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xb98:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xba8:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x1014:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0x1024:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0x14a4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x14c4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x14d4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x14e4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x14f4:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x1504:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0x1514:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0x1524:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0x1544:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0x1554:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0x1574:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x1584:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0x1594:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0x15a4:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x15c4:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0x1670:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0x1680:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000004.00000000.397676948.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000004.00000000.397676948.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000004.00000000.397676948.000000000DAD5000.00000040.00000001.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x8819:$sqlite3step: 68 34 1C 7B E1
- 0x892c:$sqlite3step: 68 34 1C 7B E1
- 0x8848:$sqlite3text: 68 38 2A 90 C5
- 0x896d:$sqlite3text: 68 38 2A 90 C5
- 0x885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x8983:$sqlite3blob: 68 53 D8 7F 8C
|
00000001.00000002.787143262.000001B742DEC000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.273520622.000001E33FA71000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x1a8:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x1b8:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x624:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0x634:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0xab4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0xad4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xae4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0xaf4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0xb04:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0xb14:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0xb24:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0xb34:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0xb54:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0xb64:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0xb84:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xb94:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0xba4:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0xbb4:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0xbd4:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0xc80:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0xc90:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
0000000F.00000002.788512933.0000023E2EF2C000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.285664073.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xe18:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xe28:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x1294:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0x12a4:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0x1724:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x1744:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x1754:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x1764:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x1774:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x1784:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0x1794:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0x17a4:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0x17c4:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0x17d4:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0x17f4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x1804:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0x1814:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0x1824:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x1844:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0x18f0:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0x1900:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000000.00000003.285664073.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x54ca8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x55042:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x565f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x64d01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x566f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x5686f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x55a5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x63f7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x58bf2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x62697:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x67dca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
0000000C.00000002.799045100.0000010D35F00000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000006.00000003.309422158.000001A547DDD000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000002.00000002.440060149.00000000000B1000.00000020.00000001.01000000.00000005.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000002.440060149.00000000000B1000.00000020.00000001.01000000.00000005.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000002.440060149.00000000000B1000.00000020.00000001.01000000.00000005.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000028.00000000.780941454.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000028.00000000.780941454.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000028.00000000.780941454.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000002.291278262.000001E33FAD0000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x32ca8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x33042:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x345f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x42d01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x346f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x3486f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x33a5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x41f7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x36bf2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x40697:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x45dca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000028.00000000.780550493.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000028.00000000.780550493.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000028.00000000.780550493.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000006.00000002.787235102.000001A5460F0000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000006.00000002.787256308.000001A5460FA000.00000004.00000020.00020000.00000000.sdmp | webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp | - 0x145f1:$asp_much_sus15: AntiVirus
- 0x5b56:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
- 0x4f6:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
- 0x1696:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
- 0x224e:$asp_xml_http: Microsoft.XMLHTTP
- 0x3f1e:$asp_xml_http: Microsoft.XMLHTTP
- 0x31c4:$asp_xml_method2: POST
- 0x4e94:$asp_xml_method2: POST
- 0x16e70:$asp_xml_method2: POST
- 0x297a:$asp_payload2: eval(
- 0x2ef8:$asp_payload2: eval(
- 0x464a:$asp_payload2: eval(
- 0x4bc8:$asp_payload2: eval(
- 0x21cc:$asp_payload11: WScript.Shell
- 0x3e9c:$asp_payload11: WScript.Shell
- 0x292e:$asp_multi_payload_one3: .run
- 0x2b46:$asp_multi_payload_one3: .run
- 0x2d26:$asp_multi_payload_one3: .run
- 0x303c:$asp_multi_payload_one3: .run
- 0x45fe:$asp_multi_payload_one3: .run
- 0x4816:$asp_multi_payload_one3: .run
|
00000006.00000002.787256308.000001A5460FA000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.286506040.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.286506040.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x1389:$sqlite3step: 68 34 1C 7B E1
- 0x149c:$sqlite3step: 68 34 1C 7B E1
- 0x13b8:$sqlite3text: 68 38 2A 90 C5
- 0x14dd:$sqlite3text: 68 38 2A 90 C5
- 0x13cb:$sqlite3blob: 68 53 D8 7F 8C
- 0x14f3:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.271100464.000001E33FA55000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xa4b98:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xa4ba8:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0xa5014:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0xa5024:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0xa54a4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0xa54c4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xa54d4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0xa54e4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0xa54f4:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0xa5504:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0xa5514:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0xa5524:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0xa5544:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0xa5554:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0xa5574:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xa5584:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0xa5594:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0xa55a4:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0xa55c4:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0xa5670:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0xa5680:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000002.00000002.441024809.0000000001720000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000002.441024809.0000000001720000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000002.441024809.0000000001720000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
0000000F.00000002.790309780.0000023E30CBB000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000012.00000002.806738334.00000000032E0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000002.806738334.00000000032E0000.00000040.80000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.806738334.00000000032E0000.00000040.80000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
0000000F.00000002.788499693.0000023E2EF22000.00000004.00000020.00020000.00000000.sdmp | webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp | - 0x7bd3:$asp_much_sus15: AntiVirus
- 0x3d58:$tagasp_short1: <%\xB7
- 0x5986:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
- 0x7ae3:$asp_xml_http: Microsoft.XMLHTTP
- 0x829e:$asp_xml_method2: POST
- 0x474:$asp_text1: .text
- 0x7e79:$asp_payload2: eval(
- 0x8138:$asp_payload2: eval(
- 0x7aa2:$asp_payload11: WScript.Shell
- 0x7e53:$asp_multi_payload_one3: .run
- 0x7f5f:$asp_multi_payload_one3: .run
- 0x804f:$asp_multi_payload_one3: .run
- 0x81da:$asp_multi_payload_one3: .run
- 0x7e35:$asp_always_write1: .Write
- 0x7f43:$asp_always_write1: .Write
- 0x8032:$asp_always_write1: .Write
- 0x81bc:$asp_always_write1: .Write
- 0x7e19:$asp_write_way_one3: CreateTextFile
- 0x7fe6:$asp_write_way_one3: CreateTextFile
- 0x81a0:$asp_write_way_one3: CreateTextFile
- 0x5986:$tagasp_capa_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
|
0000000F.00000002.788499693.0000023E2EF22000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.283352541.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xe18:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xe28:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x1294:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0x12a4:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0x1724:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x1744:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x1754:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x1764:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x1774:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x1784:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0x1794:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0x17a4:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0x17c4:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0x17d4:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0x17f4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x1804:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0x1814:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0x1824:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x1844:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0x18f0:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0x1900:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000000.00000003.283352541.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x54ca8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x55042:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x565f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x64d01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x566f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x5686f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x55a5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x63f7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x58bf2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x62697:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x67dca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000002.293804379.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000002.293804379.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x1389:$sqlite3step: 68 34 1C 7B E1
- 0x149c:$sqlite3step: 68 34 1C 7B E1
- 0x13b8:$sqlite3text: 68 38 2A 90 C5
- 0x14dd:$sqlite3text: 68 38 2A 90 C5
- 0x13cb:$sqlite3blob: 68 53 D8 7F 8C
- 0x14f3:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.283509737.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.283509737.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x1389:$sqlite3step: 68 34 1C 7B E1
- 0x149c:$sqlite3step: 68 34 1C 7B E1
- 0x13b8:$sqlite3text: 68 38 2A 90 C5
- 0x14dd:$sqlite3text: 68 38 2A 90 C5
- 0x13cb:$sqlite3blob: 68 53 D8 7F 8C
- 0x14f3:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.272975523.000001E33FA54000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x1d1a8:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x1d1b8:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x1d624:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0x1d634:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0x1dab4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x1dad4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x1dae4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x1daf4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x1db04:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x1db14:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0x1db24:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0x1db34:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0x1db54:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0x1db64:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0x1db84:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x1db94:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0x1dba4:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0x1dbb4:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x1dbd4:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0x1dc80:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0x1dc90:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000000.00000003.284654374.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.284654374.000001E33FB1D000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x1389:$sqlite3step: 68 34 1C 7B E1
- 0x149c:$sqlite3step: 68 34 1C 7B E1
- 0x13b8:$sqlite3text: 68 38 2A 90 C5
- 0x14dd:$sqlite3text: 68 38 2A 90 C5
- 0x13cb:$sqlite3blob: 68 53 D8 7F 8C
- 0x14f3:$sqlite3blob: 68 53 D8 7F 8C
|
00000001.00000003.280726639.000001B744A4A000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.272013161.000001E33F9B1000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xc01a8:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xc01b8:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0xc0624:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0xc0634:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0xc0ab4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0xc0ad4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xc0ae4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0xc0af4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0xc0b04:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0xc0b14:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0xc0b24:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0xc0b34:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0xc0b54:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0xc0b64:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0xc0b84:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xc0b94:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0xc0ba4:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0xc0bb4:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0xc0bd4:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0xc0c80:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0xc0c90:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000000.00000003.284462821.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xe18:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xe28:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x1294:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0x12a4:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0x1724:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x1744:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x1754:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x1764:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x1774:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x1784:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0x1794:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0x17a4:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0x17c4:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0x17d4:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0x17f4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x1804:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0x1814:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0x1824:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x1844:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0x18f0:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0x1900:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000000.00000003.284462821.000001E33FAAE000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x54ca8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x55042:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x565f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x64d01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x566f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x5686f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x55a5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x63f7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x58bf2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x62697:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x67dca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.806579092.0000000000D64000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000002.806579092.0000000000D64000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x9040:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x93da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x1677d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x16229:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x1687f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x169f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x9df2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x154a4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xab6a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1bdcf:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ced2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.806579092.0000000000D64000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18c51:$sqlite3step: 68 34 1C 7B E1
- 0x18d64:$sqlite3step: 68 34 1C 7B E1
- 0x18c80:$sqlite3text: 68 38 2A 90 C5
- 0x18da5:$sqlite3text: 68 38 2A 90 C5
- 0x18c93:$sqlite3blob: 68 53 D8 7F 8C
- 0x18dbb:$sqlite3blob: 68 53 D8 7F 8C
|
00000006.00000002.788030615.000001A547DDB000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.273684731.000001E33FAEE000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xbb98:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xbba8:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0xc014:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0xc024:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0xc4a4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0xc4c4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xc4d4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0xc4e4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0xc4f4:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0xc504:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0xc514:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0xc524:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0xc544:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0xc554:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0xc574:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xc584:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0xc594:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0xc5a4:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0xc5c4:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0xc670:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0xc680:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000000.00000003.273404024.000001E33FAEE000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xbb98:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xbba8:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0xc014:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0xc024:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0xc4a4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0xc4c4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xc4d4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0xc4e4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0xc4f4:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0xc504:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0xc514:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0xc524:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0xc544:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0xc554:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0xc574:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xc584:$x1: 78 34 4E 6A 56 63 65 44 51 31 58 48 67
- 0xc594:$x1: 78 34 4E 6A 56 63 65 44 5A 6B 58 48 67
- 0xc5a4:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0xc5c4:$x1: 78 34 4E 6D 5A 63 65 44 49 79 58 48 67
- 0xc670:$x1: 78 34 4E 6D 56 63 65 44 4A 6C 58 48 67
- 0xc680:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000028.00000000.781223568.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000028.00000000.781223568.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000028.00000000.781223568.0000000000C51000.00000020.00000001.01000000.0000000E.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x9b424:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
- 0x9b434:$x1: 78 34 4E 6D 4E 63 65 44 59 35 58 48 67
- 0x9b444:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x9b454:$x1: 78 34 4E 6D 5A 63 65 44 5A 6C 58 48 67
- 0x9b464:$x1: 78 34 4E 6A 56 63 65 44 63 79 58 48 67
- 0x9b474:$x1: 78 34 4E 6D 5A 63 65 44 63 79 58 48 67
- 0x9b484:$x1: 78 34 4E 6A 5A 63 65 44 5A 6D 58 48 67
- 0x9b4a4:$x1: 78 34 4E 7A 52 63 65 44 59 78 58 48 67
- 0x9b600:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x9b7d0:$x1: 78 34 4E 7A 6C 63 65 44 63 77 58 48 67
- 0x9c1d8:$x1: 78 34 4E 6A 68 63 65 44 59 78 58 48 67
- 0x9c1e8:$x1: 78 34 4E 54 4E 63 65 44 59 31 58 48 67
- 0x9c2a4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x9c2b4:$x1: 78 34 4E 54 52 63 65 44 59 31 58 48 67
- 0x9c320:$x1: 78 34 4E 6D 5A 63 65 44 5A 6C 58 48 67
- 0x9c330:$x1: 78 34 4E 6A 56 63 65 44 5A 6C 58 48 67
- 0x9dd34:$x1: 78 34 4E 54 52 63 65 44 59 78 58 48 67
|
00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x78f38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x792d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x86675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x86121:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x86777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x868ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x79cea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x8539c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x7aa62:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x8bcc7:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x8cdca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000002.298399545.000001E34090B000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x88b49:$sqlite3step: 68 34 1C 7B E1
- 0x88c5c:$sqlite3step: 68 34 1C 7B E1
- 0x88b78:$sqlite3text: 68 38 2A 90 C5
- 0x88c9d:$sqlite3text: 68 38 2A 90 C5
- 0x88b8b:$sqlite3blob: 68 53 D8 7F 8C
- 0x88cb3:$sqlite3blob: 68 53 D8 7F 8C
|
Process Memory Space: wscript.exe PID: 6352 | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x3b253:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x3b263:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x3b8b1:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x3b8c1:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x3bf15:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x3bf25:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x40338:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x40348:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x407b4:$x1: 78 34 4E 7A 64 63 65 44 55 30 58 48 67
- 0x407c4:$x1: 78 34 4E 6A 4A 63 65 44 5A 6A 58 48 67
- 0x40c44:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x40c64:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x40c74:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x40c84:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x40c94:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x40ca4:$x1: 78 34 4E 6D 52 63 65 44 59 35 58 48 67
- 0x40cb4:$x1: 78 34 4E 7A 4A 63 65 44 5A 6D 58 48 67
- 0x40cc4:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
- 0x40ce4:$x1: 78 34 4E 6D 4E 63 65 44 59 30 58 48 67
- 0x40cf4:$x1: 78 34 4E 6D 52 63 65 44 49 79 58 48 67
- 0x40d14:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
|
Process Memory Space: wscript.exe PID: 6432 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 6720 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 7112 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 5232 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Click to see the 92 entries |