HKTL_PS1_PowerShell_Loader_Dec20_1

Rule Info

Name
HKTL_PS1_PowerShell_Loader_Dec20_1
Author
Florian Roth
Description
Detects different types of PowerShell loaders used to load CobaltStrike beacons or Metasploit payloads
Score
75
Reference
Internal Research
Date
2020-12-08
Modified
2022-12-21
Minimum Yara
1.7
Rule Hash
a53b8ed9093f44087f23ba1828c4103b
Tags
['HKTL', 'FILE', 'SCRIPT', 'COBALTSTRIKE', 'METASPLOIT', 'T1550_002', 'T1059_001', 'S0154']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/hktl_ps1_powershell_loader_dec20_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
27
Suspicious (< 10 engines)
23
Clean (0 engines)
0

Rule Matches

Timestamp
Positives
Total
Hash
VT
2024-01-14 09:04:53
30
58
05bda1cfa10161916494e20ef7a24eb0aaaef96e53ca1eb43ad9d1542de426cb
2024-01-14 09:04:33
15
58
8df9b3420c59092e91e8977347f7713fb7d1287c8381c32b3b3a08f97df4187c
2024-01-14 09:00:53
14
58
3f8b4b88e88eb083a8bceba5b45bbee4000ad4d5edfda06440ee28b0faf5d31c
2024-01-14 09:00:34
15
58
1785ec1bdef703ac4055b0277c710c195c03a81abeb20bbbb496427ae50dfde6
2023-12-30 09:34:27
17
60
4968f46fdb6e1706a44eea45cc5bfb63bdf38d8288461afae9aab3ab08ccef28
2023-12-30 09:17:33
21
60
16049107805915b7ec4262f3f23aa0f7265cdad98a96518df183512f8eab44a3
2023-12-30 09:05:27
21
60
075ff7f858d2700ef0657cc573f810f5a59bb8f95b43fe6ca19f144a39676187
2023-03-24 07:48:20
28
59
8ee118d890e118e737516d673fb245170f8011a09b8c43c22b308c2cfe54a701
2022-11-17 10:06:54
13
61
efa091e3a92e4d05c9284d884ac9ae1ac4872c65325d8933d84a287af704011e
2022-11-17 09:22:16
17
61
18fa4824aa6b6447dcd00145c9866c112b07e55e94324ab3fc0d582dddf1f8ba
2022-09-15 20:14:00
28
60
1711a38efc58ce1baea36099b903dca079bbd889ff8bac1bd02adf87888a3c72
2022-09-15 19:44:32
28
60
effa0856d42c0d54b1310e7de10a466871d49a79085fef434cf3686e5120e876
2022-09-15 19:32:58
14
60
700713d52340830d32e226b2b0251f46a9c3e04c425fbfe322f9d61ac966fb17
2022-05-12 04:08:17
10
59
92c859d2b2648502d690cac7b5140d909685860837316f76eba01d75a64db294
2022-05-12 04:00:50
17
59
2e5e0435e49dbcefd2ae7d58e06264c75a93be01807941acaae7b37fa7a6453e
2022-04-25 13:53:12
9
59
fa7b4c46a76dc817efe8f56569e49a37182ae721683d36ec03ef61ce2dcc4fa5
2022-04-12 07:18:35
9
59
1dc310117c2f536758095ddd3f8c46d885c4d9f77f09f4144e730af989e7e391
2021-11-02 08:07:14
10
58
0a40be539f75e22a485391c965778919aa288126703e9ab2f495c4762dc26dcc
2021-11-02 08:00:54
19
58
51e9d222a5ee0f1e88c19bc71290a2ec3d0e67a18cb0e49711906596fd904bc8
2021-10-21 14:39:04
18
58
4e3369fb50d55a3f53ead2c81d526fdfb4d7680dc4c007e994f3990e8600d2a3
2021-10-12 11:31:09
12
58
1937ec39ea74fadbd34eac17426cfc0ed0d4c77169959ae499fab319a7c6753b
2021-10-09 06:23:51
9
57
3bc3d2c5527e22c8884ecdbbf1ecead99bf47166a6237bd54427733a8b7e4ec3
2021-09-19 16:41:46
17
58
3e3c4c19ab437976f928109dc09470a622f96540d946fcbbc33709978d471463
2021-09-13 06:16:50
11
58
52653cf24c00dd9e87dc508bc4f6cc9025983558ca9f6173776766ff56a64410
2021-08-04 07:06:25
10
59
d7753fc09c8722530116300f7185f1899cf2ffe6b445b22a3ec94176178830c4
2021-07-03 06:34:37
9
59
b0a11bf95e204994084d54de52472f827f0429746aca33dabedfaa83db6ff2fc
2021-06-22 17:36:51
20
58
2a570486c4bee32586a0e8edf4fc03ac6069d05044c29bb5cdc91e6e085783d5
2021-06-22 17:35:27
8
58
f9da1419a427d5a837370c51591aa446615f5e9c723bda10927d996171c5bb77
2021-06-22 17:34:20
8
59
509f0ee78ad7345a8f78878fe4a34b5a98520d73dbc646feaeb567327021d409
2021-06-22 17:34:16
8
59
847c9d67a2597664491841295671bc2817c2af98bb7fa65cb01292592281d82d
2021-06-22 17:34:12
21
58
0982b274642cb6f802ff5e15c0892a2baff81340c74c87b0b421d01071f9eef5
2021-06-05 21:07:36
8
59
576d33e06f43013d633b6d17a5daba4df6713daf54bcadea203fcf7b498482c7
2021-05-17 13:00:35
5
57
5a9f7ebf2a507f3a5ce4daa0423af5968f00934771afe307631bb88b88e095c1
2021-05-13 04:44:11
12
58
b7ab375bcdab54af5298d8b49f91a0cce47a5e5c5066e2db0b6a6e9210aa6939
2021-04-16 06:23:26
8
59
b8000e9533fdf36a71209e90513cfc7f6e21f1877717c027eaa9fb889b3b6b86
2021-04-16 05:52:26
15
58
e6d4fa4f9f8556a74aabf0cf06bf8076669dc076e5c24f51cf746eb8f8e262bb
2021-04-11 11:54:57
7
59
bc3aa76bfe4c794871563d71ac02e8b4cf6bd10aa57d5c96695cdd7104c6f4ba
2021-04-11 10:50:35
6
59
e94213d5fa833775a6ebe93169921137725e385931e6840b8f2cc8d4d1a452af
2021-04-11 10:47:27
6
59
8c78d9f510e2ace9380c8928b5f516c32cfca7885dc7518d4c1d6040568987f3
2021-04-11 10:46:25
7
59
33885991b15b2214bddf9cafbffe65265fa8033d9909748357db720640a65dc6
2021-04-11 10:45:22
7
59
cb958e7a91c54be7cceef5ba058a326511a0d433d5e7b3a1c6d72a4ddf248c70
2021-04-11 10:35:52
7
59
abb280ca9b31d11a9a2ff5ab7fb90cf6a7145d8c83c12cb5f2fa4810e13d95f0
2021-04-11 10:09:42
7
59
f572ef436b7b5058e7df67a512a287718a84d9a59fd0949089d35fa2c472b55d
2021-04-11 09:35:02
7
59
bbb55cdb848ada4ee0af45d4a8a2db153cacc74f9d6c4e72b825f781e45c8a6a
2021-04-11 09:02:10
8
59
8e692d24605ae8b87e89dd3949c19105484c2fbca9ac71759df5342f75496daa
2021-03-30 04:52:52
9
59
c013b1a19893448f028dadd7783e13455687d1ae811a80926ce131aa941fd470
2021-03-28 09:24:22
8
57
621490623e48e2f0d4b8328aa75f767e52f2959c07c1e670d4284c32a93a010a
2021-02-24 05:52:31
15
60
821fa15864fa90a6d63979761db2c794ae12431d3fb4f100eb32209495bbaaff
2021-02-10 08:41:10
7
60
b8df14e6ab558d34ee0b890e31f8332f36047a5c5dbe851763d40f578ed3fdbd
2021-02-05 17:37:35
4
59
c04230f818472ae92b161cf02c73ba3096a16d4d30ca1543b75befeec7bcc75d

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022