0000000D.00000002.812752920.0000013D91256000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.300627425.00000249697C1000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x1c860:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x1c870:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x1ce9c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x1ceac:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x1cebc:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x1cecc:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x1ceec:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x1cf0c:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0x1cf40:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x1cf50:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x1cf60:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x1cfe4:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
|
00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x0:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x10:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x20:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0xa4:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0xb4:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x188:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0x198:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0x204:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x224:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x234:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x244:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x254:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x264:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
- 0x274:$x1: 78 34 4E 6A 52 63 65 44 59 79 58 48 67
- 0x284:$x1: 78 34 4E 7A 4E 63 65 44 63 30 58 48 67
- 0x294:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x498:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
- 0x600:$x1: 78 34 4E 6A 68 63 65 44 59 78 58 48 67
- 0x610:$x1: 78 34 4E 54 4E 63 65 44 59 31 58 48 67
- 0x628:$x1: 78 34 4E 7A 56 63 65 44 63 7A 58 48 67
- 0x638:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x772c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x77662:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x84a05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x844b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x84b07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x84c7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x7807a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x8372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x78df2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x8a057:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x8b15a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.292250245.0000024969786000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x86ed9:$sqlite3step: 68 34 1C 7B E1
- 0x86fec:$sqlite3step: 68 34 1C 7B E1
- 0x86f08:$sqlite3text: 68 38 2A 90 C5
- 0x8702d:$sqlite3text: 68 38 2A 90 C5
- 0x86f1b:$sqlite3blob: 68 53 D8 7F 8C
- 0x87043:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000000.372823411.0000000005604000.00000040.00000001.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000004.00000000.372823411.0000000005604000.00000040.00000001.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000004.00000000.372823411.0000000005604000.00000040.00000001.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x8819:$sqlite3step: 68 34 1C 7B E1
- 0x892c:$sqlite3step: 68 34 1C 7B E1
- 0x8848:$sqlite3text: 68 38 2A 90 C5
- 0x896d:$sqlite3text: 68 38 2A 90 C5
- 0x885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x8983:$sqlite3blob: 68 53 D8 7F 8C
|
00000012.00000002.830373431.0000000000E20000.00000004.00000800.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000002.830373431.0000000000E20000.00000004.00000800.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.830373431.0000000000E20000.00000004.00000800.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000002.00000002.401722166.00000000014D0000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000002.401722166.00000000014D0000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000002.401722166.00000000014D0000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000012.00000002.830259140.0000000000B10000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000002.830259140.0000000000B10000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.830259140.0000000000B10000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000002.308018485.0000024969E00000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000002.308018485.0000024969E00000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0xb1618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0xb19b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0xbed55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0xbe801:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0xbee57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0xbefcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0xb23ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0xbda7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb3142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0xc43a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xc54aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000002.308018485.0000024969E00000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0xc1229:$sqlite3step: 68 34 1C 7B E1
- 0xc133c:$sqlite3step: 68 34 1C 7B E1
- 0xc1258:$sqlite3text: 68 38 2A 90 C5
- 0xc137d:$sqlite3text: 68 38 2A 90 C5
- 0xc126b:$sqlite3blob: 68 53 D8 7F 8C
- 0xc1393:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.281730307.00000249697F5000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xc:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x1c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x2c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x3c:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x5c:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x7c:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0xb0:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0xc0:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0xd0:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x154:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x164:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x238:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0x248:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0x2b4:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x2d4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x2e4:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x2f4:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x304:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x314:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
- 0x324:$x1: 78 34 4E 6A 52 63 65 44 59 79 58 48 67
- 0x334:$x1: 78 34 4E 7A 4E 63 65 44 63 30 58 48 67
|
00000000.00000003.297218621.00000249697DE000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xc8:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0xd8:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0x144:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x164:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x174:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x184:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x194:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x1a4:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
- 0x1b4:$x1: 78 34 4E 6A 52 63 65 44 59 79 58 48 67
- 0x1c4:$x1: 78 34 4E 7A 4E 63 65 44 63 30 58 48 67
- 0x1d4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x3d8:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
- 0x540:$x1: 78 34 4E 6A 68 63 65 44 59 78 58 48 67
- 0x550:$x1: 78 34 4E 54 4E 63 65 44 59 31 58 48 67
- 0x568:$x1: 78 34 4E 7A 56 63 65 44 63 7A 58 48 67
- 0x578:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
- 0x5ac:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x5e4:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x5f4:$x1: 78 34 4E 54 52 63 65 44 59 31 58 48 67
|
00000001.00000002.830575316.000001922C81F000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.299860714.0000024969403000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.299860714.0000024969403000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0xb805:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x19f11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0xb907:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0xba7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x1918c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x55c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1bcc7:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1cfda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.299860714.0000024969403000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x9ac9:$sqlite3step: 68 34 1C 7B E1
- 0x9bdc:$sqlite3step: 68 34 1C 7B E1
- 0x9af8:$sqlite3text: 68 38 2A 90 C5
- 0x9c1d:$sqlite3text: 68 38 2A 90 C5
- 0x9b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x9c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.300915140.0000024969403000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.300915140.0000024969403000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0xb805:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x19f11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0xb907:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0xba7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x1918c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x55c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1bcc7:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1cfda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.300915140.0000024969403000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x9ac9:$sqlite3step: 68 34 1C 7B E1
- 0x9bdc:$sqlite3step: 68 34 1C 7B E1
- 0x9af8:$sqlite3text: 68 38 2A 90 C5
- 0x9c1d:$sqlite3text: 68 38 2A 90 C5
- 0x9b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x9c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000012.00000002.801300107.0000000000910000.00000040.00000001.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000002.801300107.0000000000910000.00000040.00000001.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.801300107.0000000000910000.00000040.00000001.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
0000000F.00000002.812070527.000001D194C8F000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000002.00000000.291613938.00000000013A1000.00000020.00000001.01000000.00000005.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000000.291613938.00000000013A1000.00000020.00000001.01000000.00000005.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000000.291613938.00000000013A1000.00000020.00000001.01000000.00000005.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
0000000A.00000002.807977026.00000216DE0B1000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000002.00000002.401531356.00000000013A1000.00000020.00000001.01000000.00000005.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000002.401531356.00000000013A1000.00000020.00000001.01000000.00000005.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000002.401531356.00000000013A1000.00000020.00000001.01000000.00000005.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
0000000D.00000002.812584046.0000013D8F46A000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000002.00000002.401874829.0000000001840000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000002.401874829.0000000001840000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000002.401874829.0000000001840000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.300820496.00000249697DC000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x1860:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x1870:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x1e9c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x1eac:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x1ebc:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x1ecc:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x1eec:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x1f0c:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0x1f40:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x1f50:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x1f60:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x1fe4:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
|
0000000A.00000002.808147035.00000216DFE16000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000001.00000002.830179135.000001922AD6D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.281350445.0000024969781000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x4920:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x4930:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x4f5c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x4f6c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x4f7c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x4f8c:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x4fac:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x4fcc:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0x5000:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x5010:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x5020:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x50a4:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x50b4:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x5188:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0x5198:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0x5204:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x5224:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x5234:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x5244:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x5254:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x5264:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
|
0000000A.00000002.807957265.00000216DE0A8000.00000004.00000020.00020000.00000000.sdmp | webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp | - 0x28f3:$asp_much_sus15: AntiVirus
- 0x64e3:$asp_much_sus15: AntiVirus
- 0x7343:$asp_much_sus15: AntiVirus
- 0x5158:$tagasp_short1: <%\xB7
- 0x37e6:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
- 0x2803:$asp_xml_http: Microsoft.XMLHTTP
- 0x63f3:$asp_xml_http: Microsoft.XMLHTTP
- 0x7253:$asp_xml_http: Microsoft.XMLHTTP
- 0x2fbe:$asp_xml_method2: POST
- 0x6bae:$asp_xml_method2: POST
- 0x7a0e:$asp_xml_method2: POST
- 0xe4:$asp_text1: .text
- 0x2b99:$asp_payload2: eval(
- 0x2e58:$asp_payload2: eval(
- 0x6789:$asp_payload2: eval(
- 0x6a48:$asp_payload2: eval(
- 0x75e9:$asp_payload2: eval(
- 0x78a8:$asp_payload2: eval(
- 0x27c2:$asp_payload11: WScript.Shell
- 0x63b2:$asp_payload11: WScript.Shell
- 0x7212:$asp_payload11: WScript.Shell
|
0000000A.00000002.807957265.00000216DE0A8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.300404894.0000024969403000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.300404894.0000024969403000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0xb805:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x19f11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0xb907:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0xba7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x1918c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x55c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1bcc7:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1cfda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.300404894.0000024969403000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x9ac9:$sqlite3step: 68 34 1C 7B E1
- 0x9bdc:$sqlite3step: 68 34 1C 7B E1
- 0x9af8:$sqlite3text: 68 38 2A 90 C5
- 0x9c1d:$sqlite3text: 68 38 2A 90 C5
- 0x9b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x9c33:$sqlite3blob: 68 53 D8 7F 8C
|
0000000F.00000002.811908702.000001D1932BD000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.296801406.0000024969781000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x4920:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x4930:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x4f5c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x4f6c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x4f7c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x4f8c:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x4fac:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x4fcc:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
|
00000004.00000000.344226970.0000000005604000.00000040.00000001.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000004.00000000.344226970.0000000005604000.00000040.00000001.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000004.00000000.344226970.0000000005604000.00000040.00000001.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x8819:$sqlite3step: 68 34 1C 7B E1
- 0x892c:$sqlite3step: 68 34 1C 7B E1
- 0x8848:$sqlite3text: 68 38 2A 90 C5
- 0x896d:$sqlite3text: 68 38 2A 90 C5
- 0x885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x8983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000002.302134868.0000024969403000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000002.302134868.0000024969403000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0xb805:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x19f11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0xb907:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0xba7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x1918c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x55c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1bcc7:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1cfda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000002.302134868.0000024969403000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x9ac9:$sqlite3step: 68 34 1C 7B E1
- 0x9bdc:$sqlite3step: 68 34 1C 7B E1
- 0x9af8:$sqlite3text: 68 38 2A 90 C5
- 0x9c1d:$sqlite3text: 68 38 2A 90 C5
- 0x9b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x9c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000002.303697866.0000024969781000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x4920:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x4930:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x4f5c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x4f6c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x4f7c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x4f8c:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x4fac:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x4fcc:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
|
00000000.00000003.292414870.0000024969A7A000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.292414870.0000024969A7A000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8b58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8ef2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16295:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15d41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16397:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1650f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x990a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x14fbc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa682:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1c9ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.292414870.0000024969A7A000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18769:$sqlite3step: 68 34 1C 7B E1
- 0x1887c:$sqlite3step: 68 34 1C 7B E1
- 0x18798:$sqlite3text: 68 38 2A 90 C5
- 0x188bd:$sqlite3text: 68 38 2A 90 C5
- 0x187ab:$sqlite3blob: 68 53 D8 7F 8C
- 0x188d3:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.295432260.00000249697F5000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.295432260.00000249697F5000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x82c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8662:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15a05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x154b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15b07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x15c7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x907a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1472c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9df2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b057:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1c15a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.295432260.00000249697F5000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17ed9:$sqlite3step: 68 34 1C 7B E1
- 0x17fec:$sqlite3step: 68 34 1C 7B E1
- 0x17f08:$sqlite3text: 68 38 2A 90 C5
- 0x1802d:$sqlite3text: 68 38 2A 90 C5
- 0x17f1b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18043:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.300557956.0000024969403000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.300557956.0000024969403000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0xb805:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x19f11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0xb907:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0xba7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x1918c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x55c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1bcc7:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1cfda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.300557956.0000024969403000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x9ac9:$sqlite3step: 68 34 1C 7B E1
- 0x9bdc:$sqlite3step: 68 34 1C 7B E1
- 0x9af8:$sqlite3text: 68 38 2A 90 C5
- 0x9c1d:$sqlite3text: 68 38 2A 90 C5
- 0x9b0b:$sqlite3blob: 68 53 D8 7F 8C
- 0x9c33:$sqlite3blob: 68 53 D8 7F 8C
|
00000012.00000002.805718233.00000000009A5000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000002.805718233.00000000009A5000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x90c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x9462:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16805:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x162b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16907:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x16a7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x9e7a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1552c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xabf2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1be57:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1cf5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.805718233.00000000009A5000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18cd9:$sqlite3step: 68 34 1C 7B E1
- 0x18dec:$sqlite3step: 68 34 1C 7B E1
- 0x18d08:$sqlite3text: 68 38 2A 90 C5
- 0x18e2d:$sqlite3text: 68 38 2A 90 C5
- 0x18d1b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18e43:$sqlite3blob: 68 53 D8 7F 8C
|
0000000D.00000002.812596470.0000013D8F474000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.280807014.0000024969781000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x4920:$x1: 78 34 4E 6D 56 63 65 44 59 30 58 48 67
- 0x4930:$x1: 78 34 4E 6A 5A 63 65 44 59 35 58 48 67
- 0x4f5c:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x4f6c:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x4f7c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
- 0x4f8c:$x1: 78 34 4E 54 52 63 65 44 63 35 58 48 67
- 0x4fac:$x1: 78 34 4E 6A 4A 63 65 44 59 35 58 48 67
- 0x4fcc:$x1: 78 34 4E 7A 4E 63 65 44 59 31 58 48 67
- 0x5000:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x5010:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x5020:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x50a4:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x50b4:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x5188:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0x5198:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0x5204:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0x5224:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0x5234:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0x5244:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0x5254:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0x5264:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
|
Process Memory Space: wscript.exe PID: 6816 | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xb2e7:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0xb2f7:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0xb307:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0xb38b:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0xb39b:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0xb46f:$x1: 78 34 4E 7A 4A 63 65 44 63 79 58 48 67
- 0xb47f:$x1: 78 34 4E 7A 6C 63 65 44 49 34 58 48 67
- 0xb4eb:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
- 0xb50b:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xb51b:$x1: 78 34 4E 6A 56 63 65 44 52 6D 58 48 67
- 0xb52b:$x1: 78 34 4E 6D 46 63 65 44 59 31 58 48 67
- 0xb53b:$x1: 78 34 4E 7A 52 63 65 44 49 34 58 48 67
- 0xb54b:$x1: 78 34 4E 6A 46 63 65 44 59 30 58 48 67
- 0xb55b:$x1: 78 34 4E 6A 52 63 65 44 59 79 58 48 67
- 0xb56b:$x1: 78 34 4E 7A 4E 63 65 44 63 30 58 48 67
- 0xb57b:$x1: 78 34 4E 6A 56 63 65 44 59 78 58 48 67
- 0xb77f:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
- 0xb8e7:$x1: 78 34 4E 6A 68 63 65 44 59 78 58 48 67
- 0xb8f7:$x1: 78 34 4E 54 4E 63 65 44 59 31 58 48 67
- 0xb90f:$x1: 78 34 4E 7A 56 63 65 44 63 7A 58 48 67
- 0xb91f:$x1: 78 34 4E 6A 46 63 65 44 63 7A 58 48 67
|
Process Memory Space: wscript.exe PID: 6964 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 6388 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 2612 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 1892 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Click to see the 77 entries |