00000004.00000003.422284630.0000014D0B276000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x9578:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x9912:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x16761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x16f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0xa32a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x159dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb0a2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1c307:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1d40a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x19189:$sqlite3step: 68 34 1C 7B E1
- 0x1929c:$sqlite3step: 68 34 1C 7B E1
- 0x191b8:$sqlite3text: 68 38 2A 90 C5
- 0x192dd:$sqlite3text: 68 38 2A 90 C5
- 0x191cb:$sqlite3blob: 68 53 D8 7F 8C
- 0x192f3:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.402204010.000001873775D000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x4cf0:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x4d00:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
|
00000008.00000002.931430128.0000020FBE071000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.396143757.0000018737B4E000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.396143757.0000018737B4E000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8ac8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8e62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16205:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15cb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16307:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x1647f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x987a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x14f2c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa5f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b857:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1c95a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.396143757.0000018737B4E000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x186d9:$sqlite3step: 68 34 1C 7B E1
- 0x187ec:$sqlite3step: 68 34 1C 7B E1
- 0x18708:$sqlite3text: 68 38 2A 90 C5
- 0x1882d:$sqlite3text: 68 38 2A 90 C5
- 0x1871b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18843:$sqlite3blob: 68 53 D8 7F 8C
|
00000009.00000002.907157979.00000000004B0000.00000040.80000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000009.00000002.907157979.00000000004B0000.00000040.80000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000009.00000002.907157979.00000000004B0000.00000040.80000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.388216987.00000187377E3000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x8e00:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x8e10:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x926c:$x1: 78 34 4E 54 52 63 65 44 59 78 58 48 67
- 0x9628:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x9638:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x9648:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x96cc:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x96dc:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x9738:$x1: 78 34 4E 6D 4E 63 65 44 4D 31 58 48 67
- 0x9748:$x1: 78 34 4E 44 64 63 65 44 51 33 58 48 67
- 0x9768:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x9788:$x1: 78 34 4E 44 46 63 65 44 63 79 58 48 67
- 0x9798:$x1: 78 34 4E 6A 46 63 65 44 63 35 58 48 67
- 0x97a8:$x1: 78 34 4E 44 68 63 65 44 4D 7A 58 48 67
- 0x97b8:$x1: 78 34 4E 7A 4A 63 65 44 4D 7A 58 48 67
- 0x9c2c:$x1: 78 34 4E 6D 56 63 65 44 59 33 58 48 67
- 0x9e48:$x1: 78 34 4E 6D 56 63 65 44 5A 6D 58 48 67
- 0x9e58:$x1: 78 34 4E 6A 56 63 65 44 55 30 58 48 67
- 0x9e68:$x1: 78 34 4E 7A 42 63 65 44 59 31 58 48 67
- 0x9e78:$x1: 78 34 4E 54 5A 63 65 44 59 78 58 48 67
- 0x9efc:$x1: 78 34 4E 7A 6C 63 65 44 63 77 58 48 67
|
00000000.00000003.396132606.000001873784D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.396132606.000001873784D000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x4d09:$sqlite3step: 68 34 1C 7B E1
- 0x4e1c:$sqlite3step: 68 34 1C 7B E1
- 0x4d38:$sqlite3text: 68 38 2A 90 C5
- 0x4e5d:$sqlite3text: 68 38 2A 90 C5
- 0x4d4b:$sqlite3blob: 68 53 D8 7F 8C
- 0x4e73:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000002.927889080.0000014D0B272000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000008.00000002.921876626.0000020FBC1E8000.00000004.00000020.00020000.00000000.sdmp | webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp | - 0x1863f:$asp_much_sus15: AntiVirus
- 0x18841:$asp_much_sus15: AntiVirus
- 0x336:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
- 0x4c6:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
- 0x208e:$asp_xml_http: Microsoft.XMLHTTP
- 0x3004:$asp_xml_method2: POST
- 0xf660:$asp_xml_method2: POST
- 0x27ba:$asp_payload2: eval(
- 0x2d38:$asp_payload2: eval(
- 0x200c:$asp_payload11: WScript.Shell
- 0x276e:$asp_multi_payload_one3: .run
- 0x2986:$asp_multi_payload_one3: .run
- 0x2b66:$asp_multi_payload_one3: .run
- 0x2e7c:$asp_multi_payload_one3: .run
- 0x2732:$asp_always_write1: .Write
- 0x294e:$asp_always_write1: .Write
- 0x2b2c:$asp_always_write1: .Write
- 0x2e40:$asp_always_write1: .Write
- 0x26fa:$asp_write_way_one3: CreateTextFile
- 0x2a94:$asp_write_way_one3: CreateTextFile
- 0x2e08:$asp_write_way_one3: CreateTextFile
|
00000008.00000002.921876626.0000020FBC1E8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000009.00000002.907218726.0000000000700000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000009.00000002.907218726.0000000000700000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000009.00000002.907218726.0000000000700000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000001.00000003.393763999.0000022181D85000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000008.00000003.465086435.0000020FBE075000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000009.00000002.907579825.00000000007AD000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000009.00000002.907579825.00000000007AD000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x95e0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x997a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16d1d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x167c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16e1f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x16f97:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0xa392:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x15a44:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb10a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1c36f:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1d472:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000009.00000002.907579825.00000000007AD000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x191f1:$sqlite3step: 68 34 1C 7B E1
- 0x19304:$sqlite3step: 68 34 1C 7B E1
- 0x19220:$sqlite3text: 68 38 2A 90 C5
- 0x19345:$sqlite3text: 68 38 2A 90 C5
- 0x19233:$sqlite3blob: 68 53 D8 7F 8C
- 0x1935b:$sqlite3blob: 68 53 D8 7F 8C
|
00000002.00000002.506353568.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000002.506353568.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000002.506353568.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.386427385.0000018737747000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xa4e00:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xa4e10:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0xa526c:$x1: 78 34 4E 54 52 63 65 44 59 78 58 48 67
- 0xa5628:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0xa5638:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0xa5648:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0xa56cc:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0xa56dc:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0xa5738:$x1: 78 34 4E 6D 4E 63 65 44 4D 31 58 48 67
- 0xa5748:$x1: 78 34 4E 44 64 63 65 44 51 33 58 48 67
- 0xa5768:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0xa5788:$x1: 78 34 4E 44 46 63 65 44 63 79 58 48 67
- 0xa5798:$x1: 78 34 4E 6A 46 63 65 44 63 35 58 48 67
- 0xa57a8:$x1: 78 34 4E 44 68 63 65 44 4D 7A 58 48 67
- 0xa57b8:$x1: 78 34 4E 7A 4A 63 65 44 4D 7A 58 48 67
- 0xa5c2c:$x1: 78 34 4E 6D 56 63 65 44 59 33 58 48 67
- 0xa5e48:$x1: 78 34 4E 6D 56 63 65 44 5A 6D 58 48 67
- 0xa5e58:$x1: 78 34 4E 6A 56 63 65 44 55 30 58 48 67
- 0xa5e68:$x1: 78 34 4E 7A 42 63 65 44 59 31 58 48 67
- 0xa5e78:$x1: 78 34 4E 54 5A 63 65 44 59 78 58 48 67
- 0xa5efc:$x1: 78 34 4E 7A 6C 63 65 44 63 77 58 48 67
|
00000003.00000000.476161030.00000000056FF000.00000040.00000001.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000003.00000000.476161030.00000000056FF000.00000040.00000001.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000003.00000000.476161030.00000000056FF000.00000040.00000001.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x8819:$sqlite3step: 68 34 1C 7B E1
- 0x892c:$sqlite3step: 68 34 1C 7B E1
- 0x8848:$sqlite3text: 68 38 2A 90 C5
- 0x896d:$sqlite3text: 68 38 2A 90 C5
- 0x885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x8983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000002.403161065.000001873775E000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x3cf0:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x3d00:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
|
00000002.00000002.506312431.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000002.506312431.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000002.506312431.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.388318935.0000018737762000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x15c:$x1: 78 34 4E 54 52 63 65 44 59 78 58 48 67
- 0x518:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x528:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x538:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x5bc:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x5cc:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x628:$x1: 78 34 4E 6D 4E 63 65 44 4D 31 58 48 67
- 0x638:$x1: 78 34 4E 44 64 63 65 44 51 33 58 48 67
- 0x658:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x678:$x1: 78 34 4E 44 46 63 65 44 63 79 58 48 67
- 0x688:$x1: 78 34 4E 6A 46 63 65 44 63 35 58 48 67
- 0x698:$x1: 78 34 4E 44 68 63 65 44 4D 7A 58 48 67
- 0x6a8:$x1: 78 34 4E 7A 4A 63 65 44 4D 7A 58 48 67
- 0xb1c:$x1: 78 34 4E 6D 56 63 65 44 59 33 58 48 67
- 0xd38:$x1: 78 34 4E 6D 56 63 65 44 5A 6D 58 48 67
- 0xd48:$x1: 78 34 4E 6A 56 63 65 44 55 30 58 48 67
- 0xd58:$x1: 78 34 4E 7A 42 63 65 44 59 31 58 48 67
- 0xd68:$x1: 78 34 4E 54 5A 63 65 44 59 78 58 48 67
- 0xdec:$x1: 78 34 4E 7A 6C 63 65 44 63 77 58 48 67
- 0x2a50:$x1: 78 34 4E 6A 64 63 65 44 55 79 58 48 67
- 0x3d220:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
|
00000002.00000002.509633040.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000002.509633040.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000002.509633040.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000001.00000002.908396849.00000221FFEFE000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000008.00000003.464882412.0000020FBE075000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000002.403282167.000001873784D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000002.403282167.000001873784D000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x4d09:$sqlite3step: 68 34 1C 7B E1
- 0x4e1c:$sqlite3step: 68 34 1C 7B E1
- 0x4d38:$sqlite3text: 68 38 2A 90 C5
- 0x4e5d:$sqlite3text: 68 38 2A 90 C5
- 0x4d4b:$sqlite3blob: 68 53 D8 7F 8C
- 0x4e73:$sqlite3blob: 68 53 D8 7F 8C
|
00000004.00000002.923762236.0000014D095CE000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000001.00000002.907846772.0000022181D81000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.401485151.000001873784D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.401485151.000001873784D000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x4d09:$sqlite3step: 68 34 1C 7B E1
- 0x4e1c:$sqlite3step: 68 34 1C 7B E1
- 0x4d38:$sqlite3text: 68 38 2A 90 C5
- 0x4e5d:$sqlite3text: 68 38 2A 90 C5
- 0x4d4b:$sqlite3blob: 68 53 D8 7F 8C
- 0x4e73:$sqlite3blob: 68 53 D8 7F 8C
|
00000012.00000000.871758579.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000000.871758579.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000000.871758579.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.402093855.0000018737752000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xfcf0:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xfd00:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
|
00000000.00000003.396207507.00000187377A4000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x47e00:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x47e10:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
|
00000000.00000003.398203323.00000187377E8000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x3e00:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x3e10:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
|
00000012.00000002.876080332.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000002.876080332.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000002.876080332.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000007.00000002.922485204.0000026A515F0000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000004.00000003.422300954.0000014D0B276000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000012.00000000.871170118.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000000.871170118.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000000.871170118.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000007.00000002.922294824.0000026A4F89A000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000004.00000002.923787188.0000014D095D8000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000012.00000000.870726795.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000000.870726795.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000000.870726795.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.398506960.000001873779E000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x1220:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x1230:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x168c:$x1: 78 34 4E 54 52 63 65 44 59 78 58 48 67
- 0x1a48:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x1a58:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x1a68:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x1aec:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x1afc:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x1b58:$x1: 78 34 4E 6D 4E 63 65 44 4D 31 58 48 67
- 0x1b68:$x1: 78 34 4E 44 64 63 65 44 51 33 58 48 67
- 0x1b88:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x1ba8:$x1: 78 34 4E 44 46 63 65 44 63 79 58 48 67
- 0x1bb8:$x1: 78 34 4E 6A 46 63 65 44 63 35 58 48 67
- 0x1bc8:$x1: 78 34 4E 44 68 63 65 44 4D 7A 58 48 67
- 0x1bd8:$x1: 78 34 4E 7A 4A 63 65 44 4D 7A 58 48 67
- 0x204c:$x1: 78 34 4E 6D 56 63 65 44 59 33 58 48 67
- 0x2268:$x1: 78 34 4E 6D 56 63 65 44 5A 6D 58 48 67
- 0x2278:$x1: 78 34 4E 6A 56 63 65 44 55 30 58 48 67
- 0x2288:$x1: 78 34 4E 7A 42 63 65 44 59 31 58 48 67
- 0x2298:$x1: 78 34 4E 54 5A 63 65 44 59 78 58 48 67
- 0x231c:$x1: 78 34 4E 7A 6C 63 65 44 63 77 58 48 67
|
00000003.00000000.446024174.00000000056FF000.00000040.00000001.00040000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000003.00000000.446024174.00000000056FF000.00000040.00000001.00040000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x6345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x5df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x6447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x65bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000003.00000000.446024174.00000000056FF000.00000040.00000001.00040000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x8819:$sqlite3step: 68 34 1C 7B E1
- 0x892c:$sqlite3step: 68 34 1C 7B E1
- 0x8848:$sqlite3text: 68 38 2A 90 C5
- 0x896d:$sqlite3text: 68 38 2A 90 C5
- 0x885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x8983:$sqlite3blob: 68 53 D8 7F 8C
|
00000001.00000003.393894114.0000022181D85000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000002.403466311.0000018737EA0000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000002.403466311.0000018737EA0000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0xb5828:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0xb5bc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0xc2f65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0xc2a11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0xc3067:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0xc31df:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0xb65da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0xc1c8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xb7352:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0xc85b7:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0xc96ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000002.403466311.0000018737EA0000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0xc5439:$sqlite3step: 68 34 1C 7B E1
- 0xc554c:$sqlite3step: 68 34 1C 7B E1
- 0xc5468:$sqlite3text: 68 38 2A 90 C5
- 0xc558d:$sqlite3text: 68 38 2A 90 C5
- 0xc547b:$sqlite3blob: 68 53 D8 7F 8C
- 0xc55a3:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.396086134.00000187377EC000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x26c:$x1: 78 34 4E 54 52 63 65 44 59 78 58 48 67
- 0x628:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x638:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x648:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x6cc:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x6dc:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x738:$x1: 78 34 4E 6D 4E 63 65 44 4D 31 58 48 67
- 0x748:$x1: 78 34 4E 44 64 63 65 44 51 33 58 48 67
- 0x768:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x788:$x1: 78 34 4E 44 46 63 65 44 63 79 58 48 67
- 0x798:$x1: 78 34 4E 6A 46 63 65 44 63 35 58 48 67
- 0x7a8:$x1: 78 34 4E 44 68 63 65 44 4D 7A 58 48 67
- 0x7b8:$x1: 78 34 4E 7A 4A 63 65 44 4D 7A 58 48 67
- 0xc2c:$x1: 78 34 4E 6D 56 63 65 44 59 33 58 48 67
- 0xe48:$x1: 78 34 4E 6D 56 63 65 44 5A 6D 58 48 67
- 0xe58:$x1: 78 34 4E 6A 56 63 65 44 55 30 58 48 67
- 0xe68:$x1: 78 34 4E 7A 42 63 65 44 59 31 58 48 67
- 0xe78:$x1: 78 34 4E 54 5A 63 65 44 59 78 58 48 67
- 0xefc:$x1: 78 34 4E 7A 6C 63 65 44 63 77 58 48 67
- 0x2b60:$x1: 78 34 4E 6A 64 63 65 44 55 79 58 48 67
|
00000012.00000000.871469677.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000012.00000000.871469677.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000012.00000000.871469677.0000000001201000.00000020.00000001.01000000.0000000B.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000007.00000002.922283429.0000026A4F890000.00000004.00000020.00020000.00000000.sdmp | webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp | - 0x2f33:$asp_much_sus15: AntiVirus
- 0x7143:$asp_much_sus15: AntiVirus
- 0x7fa3:$asp_much_sus15: AntiVirus
- 0x4858:$tagasp_short1: <%\xB7
- 0x43d6:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
- 0x2e43:$asp_xml_http: Microsoft.XMLHTTP
- 0x7053:$asp_xml_http: Microsoft.XMLHTTP
- 0x7eb3:$asp_xml_http: Microsoft.XMLHTTP
- 0x35fe:$asp_xml_method2: POST
- 0x780e:$asp_xml_method2: POST
- 0x866e:$asp_xml_method2: POST
- 0x724:$asp_text1: .text
- 0x31d9:$asp_payload2: eval(
- 0x3498:$asp_payload2: eval(
- 0x73e9:$asp_payload2: eval(
- 0x76a8:$asp_payload2: eval(
- 0x8249:$asp_payload2: eval(
- 0x8508:$asp_payload2: eval(
- 0x2e02:$asp_payload11: WScript.Shell
- 0x7012:$asp_payload11: WScript.Shell
- 0x7e72:$asp_payload11: WScript.Shell
|
00000007.00000002.922283429.0000026A4F890000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.396200363.000001873779E000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x1220:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x1230:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x168c:$x1: 78 34 4E 54 52 63 65 44 59 78 58 48 67
- 0x1a48:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x1a58:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x1a68:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x1aec:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x1afc:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x1b58:$x1: 78 34 4E 6D 4E 63 65 44 4D 31 58 48 67
- 0x1b68:$x1: 78 34 4E 44 64 63 65 44 51 33 58 48 67
- 0x1b88:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x1ba8:$x1: 78 34 4E 44 46 63 65 44 63 79 58 48 67
- 0x1bb8:$x1: 78 34 4E 6A 46 63 65 44 63 35 58 48 67
- 0x1bc8:$x1: 78 34 4E 44 68 63 65 44 4D 7A 58 48 67
- 0x1bd8:$x1: 78 34 4E 7A 4A 63 65 44 4D 7A 58 48 67
- 0x204c:$x1: 78 34 4E 6D 56 63 65 44 59 33 58 48 67
- 0x2268:$x1: 78 34 4E 6D 56 63 65 44 5A 6D 58 48 67
- 0x2278:$x1: 78 34 4E 6A 56 63 65 44 55 30 58 48 67
- 0x2288:$x1: 78 34 4E 7A 42 63 65 44 59 31 58 48 67
- 0x2298:$x1: 78 34 4E 54 5A 63 65 44 59 78 58 48 67
- 0x231c:$x1: 78 34 4E 7A 6C 63 65 44 63 77 58 48 67
|
00000008.00000002.921864833.0000020FBC1DE000.00000004.00000020.00020000.00000000.sdmp | webshell_asp_generic | Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file | Arnim Rupp | - 0x2e03:$asp_much_sus15: AntiVirus
- 0x7de3:$asp_much_sus15: AntiVirus
- 0x59a8:$tagasp_short1: <%\xB7
- 0x5376:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
- 0x2d13:$asp_xml_http: Microsoft.XMLHTTP
- 0x7cf3:$asp_xml_http: Microsoft.XMLHTTP
- 0x34ce:$asp_xml_method2: POST
- 0x84ae:$asp_xml_method2: POST
- 0x5f4:$asp_text1: .text
- 0x30a9:$asp_payload2: eval(
- 0x3368:$asp_payload2: eval(
- 0x8089:$asp_payload2: eval(
- 0x8348:$asp_payload2: eval(
- 0x7cb2:$asp_payload11: WScript.Shell
- 0x3083:$asp_multi_payload_one3: .run
- 0x318f:$asp_multi_payload_one3: .run
- 0x327f:$asp_multi_payload_one3: .run
- 0x8063:$asp_multi_payload_one3: .run
- 0x816f:$asp_multi_payload_one3: .run
- 0x825f:$asp_multi_payload_one3: .run
- 0x83ea:$asp_multi_payload_one3: .run
|
00000008.00000002.921864833.0000020FBC1DE000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
00000000.00000003.397537336.0000018737493000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.397537336.0000018737493000.00000004.00000020.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000000.00000003.397537336.0000018737493000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000002.00000000.395957162.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000002.00000000.395957162.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x7c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x7fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x15345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x14df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x15447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x155bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x89ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1406c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0x9732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1a997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ba9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000002.00000000.395957162.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x17819:$sqlite3step: 68 34 1C 7B E1
- 0x1792c:$sqlite3step: 68 34 1C 7B E1
- 0x17848:$sqlite3text: 68 38 2A 90 C5
- 0x1796d:$sqlite3text: 68 38 2A 90 C5
- 0x1785b:$sqlite3blob: 68 53 D8 7F 8C
- 0x17983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.387944732.00000187377E9000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x2e00:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x2e10:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x326c:$x1: 78 34 4E 54 52 63 65 44 59 78 58 48 67
- 0x3628:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x3638:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x3648:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x36cc:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x36dc:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x3738:$x1: 78 34 4E 6D 4E 63 65 44 4D 31 58 48 67
- 0x3748:$x1: 78 34 4E 44 64 63 65 44 51 33 58 48 67
- 0x3768:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x3788:$x1: 78 34 4E 44 46 63 65 44 63 79 58 48 67
- 0x3798:$x1: 78 34 4E 6A 46 63 65 44 63 35 58 48 67
- 0x37a8:$x1: 78 34 4E 44 68 63 65 44 4D 7A 58 48 67
- 0x37b8:$x1: 78 34 4E 7A 4A 63 65 44 4D 7A 58 48 67
- 0x3c2c:$x1: 78 34 4E 6D 56 63 65 44 59 33 58 48 67
- 0x3e48:$x1: 78 34 4E 6D 56 63 65 44 5A 6D 58 48 67
- 0x3e58:$x1: 78 34 4E 6A 56 63 65 44 55 30 58 48 67
- 0x3e68:$x1: 78 34 4E 7A 42 63 65 44 59 31 58 48 67
- 0x3e78:$x1: 78 34 4E 54 5A 63 65 44 59 78 58 48 67
- 0x3efc:$x1: 78 34 4E 7A 6C 63 65 44 63 77 58 48 67
|
00000009.00000002.907268492.0000000000730000.00000004.00000800.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000009.00000002.907268492.0000000000730000.00000004.00000800.00020000.00000000.sdmp | Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com | - 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
- 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
- 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
- 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
- 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
- 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
- 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
- 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
- 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
- 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
|
00000009.00000002.907268492.0000000000730000.00000004.00000800.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x18819:$sqlite3step: 68 34 1C 7B E1
- 0x1892c:$sqlite3step: 68 34 1C 7B E1
- 0x18848:$sqlite3text: 68 38 2A 90 C5
- 0x1896d:$sqlite3text: 68 38 2A 90 C5
- 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
- 0x18983:$sqlite3blob: 68 53 D8 7F 8C
|
00000000.00000003.401344899.00000187377EA000.00000004.00000020.00020000.00000000.sdmp | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0x1e00:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x1e10:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
|
00000000.00000003.402063776.000001873784D000.00000004.00000020.00020000.00000000.sdmp | JoeSecurity_FormBook | Yara detected FormBook | Joe Security | |
00000000.00000003.402063776.000001873784D000.00000004.00000020.00020000.00000000.sdmp | Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group | - 0x4d09:$sqlite3step: 68 34 1C 7B E1
- 0x4e1c:$sqlite3step: 68 34 1C 7B E1
- 0x4d38:$sqlite3text: 68 38 2A 90 C5
- 0x4e5d:$sqlite3text: 68 38 2A 90 C5
- 0x4d4b:$sqlite3blob: 68 53 D8 7F 8C
- 0x4e73:$sqlite3blob: 68 53 D8 7F 8C
|
Process Memory Space: wscript.exe PID: 5708 | SUSP_Base64_Encoded_Hex_Encoded_Code | Detects hex encoded code that has been base64 encoded | Florian Roth | - 0xc03:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0xc13:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x8835:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x8845:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x8ca1:$x1: 78 34 4E 54 52 63 65 44 59 78 58 48 67
- 0x905d:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
- 0x906d:$x1: 78 34 4E 7A 64 63 65 44 4A 6C 58 48 67
- 0x907d:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67
- 0x9101:$x1: 78 34 4E 6A 56 63 65 44 63 77 58 48 67
- 0x9111:$x1: 78 34 4E 6A 46 63 65 44 59 7A 58 48 67
- 0x916d:$x1: 78 34 4E 6D 4E 63 65 44 4D 31 58 48 67
- 0x917d:$x1: 78 34 4E 44 64 63 65 44 51 33 58 48 67
- 0x919d:$x1: 78 34 4E 6D 56 63 65 44 63 30 58 48 67
- 0x91bd:$x1: 78 34 4E 44 46 63 65 44 63 79 58 48 67
- 0x91cd:$x1: 78 34 4E 6A 46 63 65 44 63 35 58 48 67
- 0x91dd:$x1: 78 34 4E 44 68 63 65 44 4D 7A 58 48 67
- 0x91ed:$x1: 78 34 4E 7A 4A 63 65 44 4D 7A 58 48 67
- 0x1ab70:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
- 0x1ab80:$x1: 78 34 4E 6A 6C 63 65 44 5A 6C 58 48 67
- 0x1afdc:$x1: 78 34 4E 54 52 63 65 44 59 78 58 48 67
- 0x1b398:$x1: 78 34 4E 6A 4A 63 65 44 63 79 58 48 67
|
Process Memory Space: wscript.exe PID: 6132 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 5812 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 1272 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Process Memory Space: wscript.exe PID: 6040 | JoeSecurity_VjW0rm | Yara detected VjW0rm | Joe Security | |
Click to see the 98 entries |