SUSP_OBFUSC_PS1_FormatStrings_Dec22_1

Rule Info

Name
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
Author
Florian Roth
Description
Detects format strings combinations found in obfuscated PowerShell code
Score
70
Reference
Internal Research
Date
2022-12-08
Minimum Yara
1.7
Rule Hash
525997429ea7e4e3d05cc0b3bfbaef95
Tags
['T1027', 'T1059_001', 'SUSP', 'OBFUS', 'SCRIPT']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/susp_obfusc_ps1_formatstrings_dec22_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
27
Suspicious (< 10 engines)
19
Clean (0 engines)
11

Rule Matches

Timestamp
Positives
Total
Hash
VT
2023-09-28 21:23:34
17
60
49da4a08232802e9fa5efdd7bb405b145d9e188280bc263975bdf83dcc2fbedf
2023-09-25 05:33:32
10
59
77b83b09f13c109a177c46e4d91151c7eb7b241f5c606b201d8cbdfa55d8229d
2023-09-25 05:31:51
8
59
be384e48121ed8e6878556753ecf43c639f84306374a26992514267342dcf91f
2023-09-20 16:54:23
2
58
17405e9f8f889925521912aea72467330f3dffeaf8ec8678ef6f412204262896
2023-09-20 15:36:52
15
59
4e2ff31c0a475fd838ab7aa96b32f1c4e4f6960e097ea0cd2f4e4dab165edc45
2023-09-20 10:49:32
14
59
876e0d32864ef6999d52e4a73ca8c2fa3342b26bb3aa86f3f55888a6b65fb076
2023-09-18 06:08:36
2
59
d295b2db5347e6873ef32f8db3663f601be989b67f6d743e100541ab80124d5b
2023-09-16 19:32:49
1
59
9976ccb1ccf473072227b28d4825cb942c41ec08ddf6b1ca3613e0c989a25f65
2023-09-14 18:34:28
1
59
3f8a4520c11d2e57f228a8bd26a370ac71a9f12823b50de93df5e44bae42fca9
2023-09-13 22:23:14
28
59
7f8f8c82fec8acbb0947a192dd5cbe8b95ffdba4e252b582eae127f1c062399b
2023-09-02 15:17:00
1
51
2d64c375ca793ba18c627b4addc5dfe992ae261b3832f2570e775d28c353e751
2023-08-29 20:23:44
1
53
adc0c92429773ebb606ba3aa88f08aa0be4b06cad786f840ea3fe558068ab3d8
2023-08-28 17:24:15
2
56
174d4436f0624ac63c002e4c32bbd8e52988f836e48ee763f4d08820ea81a0bc
2023-08-28 17:24:09
2
55
3be8cdb350b626ef9ed04634d597de8e7bc5bcf0fa0f99dd132263c7f88f137e
2023-08-28 17:24:06
1
56
0fbff6e9d44dae082b3b8701dd199b4096ce4bf87a0040bc952d9cc8fce25059
2023-08-26 06:13:08
13
59
553d3cb9627eeb1ab87f75f743b357b6540ed81dfa0b1cbdbbe375de2d5ece19
2023-08-21 21:04:16
6
58
626696864c651682c5ded75794ba4fc281bf393dc79d0f04b4a7e07e340da958
2023-08-21 14:29:32
0
59
9e970a91fb3314f5e46403d43eb0b066a7e88b1daa6e51d0e723aef381ee57b1
2023-08-18 11:18:50
1
56
2dc7253a7ff02176e5334273f8dee1446697f7a996ea4b63164468e921b1ceda
2023-08-14 03:24:16
0
58
1521435d9d3fb9dc5b08494130f2118b073a6bc6dc233e3ec404225a57b9c4b3
2023-08-14 03:18:24
3
58
70ca31589a8d5340797656a06b175a351f689b45716114311bad0ca46054a3f5
2023-08-07 12:46:32
15
59
4342d531840c988544e50c3eab63171fe7ead690027515112685201c849ac032
2023-08-07 12:00:45
12
59
4227be722f723cf8424e63c622325bef219bbae5f57aa78e37523913c63559de
2023-08-02 15:53:14
0
59
5ab4a60cfecbc66c01c0f6b131fe131bb9b2d3065a737a7dbab7b17d57f6567d
2023-07-28 07:23:37
0
59
d78492f615c999c97726d01714b68792c806d272eefab3cb256f064c45d218aa
2023-07-26 10:20:03
5
58
d24eb6d8bab508257a9162d5d4cb9a025ce70db70c9cbaa1972b3f2bf827290b
2023-07-25 20:22:36
4
70
5fa7451665cf54e1a00a7aeef603c7e44dea9973b001465547d0cb574ba6eaed
2023-07-22 14:22:57
19
59
6f8ead11bc60dc89619d5dfebc63a236b11b2f65da9271b81a2c751baf8768a2
2023-07-22 14:22:53
12
59
839efe795483d1c6aa4efa11eab309e6e232e181686e39cb27e18784a17d9e69
2023-07-22 14:21:28
0
59
40700c3c5b8b34e105d09a5e25b920e3340ddde754a4a4903f9fab9a2743ef6e
2023-07-22 13:52:53
0
59
0d35a6f9beaf6c9ba0335deb6340a0b0327f0658f7b5aa06697e328b73f4cf3b
2023-07-22 13:51:43
0
59
14c13ceedb2757ef94bc245ebd2e64702caf49205fb16b6c74449e7c362ad451
2023-07-22 13:49:48
0
59
ce91b25495792bab27166e715e7fc9b644a95eff19f1eaebc107de79848f640e
2023-07-22 13:26:27
0
59
3a041d9895f02a108eb33386dafde9c6359f471572f48a89bd65b47fd89fbd5b
2023-07-22 11:07:16
0
59
b7599692fbe6b32997d5f34006ab30a2f5e760dbe797d9e5c86e794cb622761e
2023-07-19 11:38:51
24
70
1a32bcfc64e8f7771a2ff46d725dd8796120060d36067e8ff4d02dcba9c56b3c
2023-06-28 16:39:51
15
59
6c9e099595f3bb25eb930cd8b407742c7ca3584ea590fd2e0a08bc551a90a720
2023-05-24 22:09:27
30
67
92d81f9749f74883a9e7a8931d5451985087c6b8f34f1248f969c309a2ea5703
2023-05-24 16:18:58
24
70
676f7e0355c51006412e9efc876026e0a910a8acbad18b7760cc33e315f7f19c
2023-04-19 19:10:43
21
67
635eed5e86f6aab866f0d752eed951a7294c66fed23f3c7ebe5c47628ccefded
2023-04-19 19:10:28
23
67
8842a041d1c456d7ac7d1d4dde8511c22360f4385701964d711b5446a2de8713
2023-04-01 11:10:09
15
59
52759d8fb22795e54b19e161f0c91921d97ece23f5def44accdd157fe3daeed3
2023-03-29 20:29:05
0
60
70a2a3cdd26b039aced764cffd4acf91dc70bfdd17d32d9c7e41c023dd0d25c9
2023-03-14 10:23:35
12
59
bf3692592130cb0e117056d784ae858b33f673235847ea2fd41fc8497975e3a1
2023-03-06 21:13:26
14
59
f827e9f42e61f15f0a611238060e2ab496b8c4d19510a70b9c437c36bfbfdb6f
2023-03-06 21:13:10
2
58
fdc05d876dab954a5b8a162292e4836514cbd2985a800be09dad0a4083d25d6b
2023-03-06 17:10:28
2
59
fde676700951eb0e3fb41a919361333787b36bae5d942b20922412f6dd74c7af
2023-03-05 09:54:14
3
54
968b7931b716c85cfc46164cc9ec3f570d777532dae92180fc6d255eb544d329
2023-03-05 09:48:33
3
59
0284f0992ac5573f29f791d77bf623af11f5f75eca017872ffeed5e6412c4fdd
2023-02-22 08:05:36
33
69
69512cb3c245a4ea35721969a832746b57e5a52a4eed33bb14c67d793a9df224
2023-01-31 10:12:36
27
60
8780ce6fb21d5e4597cee509b1cf6c47bed007f6eb1a08a0a7212c97cfcc32ab
2023-01-31 10:10:47
21
60
9a996306342981ed15c7715f38ba3b2d65713b0778f8343f57356f114bb25e86
2023-01-30 23:33:02
19
67
9a096d55448310d2c87e09bd48d1f6a64be63ce1d1adfc1145a3ca9c002c4ea0
2023-01-04 00:15:12
16
60
caf35ea9298dd671604af5920dccb89362fee4a67b24f8bfe73e12ceedc91504
2023-01-03 14:12:38
20
61
a9da2bd0acb71f33e35271568d357cd8c2fd7ca86638e519ee7f051aabc5ab23
2023-01-03 11:09:05
23
60
508973b0475293243c7c83cf2c19087d640fefdb152cba2f2d30dee7ff274494
2023-01-03 04:39:49
21
60
4d699c03048c59cf28689acfe8abf527734fcc097e4a3ad75cb21689e63490a7

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022