SUSP_OBFUSC_PS1_FormatStrings_Dec22_1

Rule Info

Name
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
Author
Florian Roth
Description
Detects format strings combinations found in obfuscated PowerShell code
Score
70
Reference
Internal Research
Date
2022-12-08
Minimum Yara
1.7
Rule Hash
525997429ea7e4e3d05cc0b3bfbaef95
Tags
['T1059_001', 'SCRIPT', 'T1027', 'OBFUS', 'SUSP']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/susp_obfusc_ps1_formatstrings_dec22_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
33
Suspicious (< 10 engines)
37
Clean (0 engines)
14

Rule Matches

Timestamp
Positives
Total
Hash
VT
2024-04-02 08:01:37
2
60
dc69149c9590d5b78d4fc6855cffa6879984a19b3824616d0e4c368f936b5580
2024-03-12 12:02:20
1
60
fde14fcbb44cea606bbcf8ff9fbc90ef2aa5135d2cfbb35f9f81979583bfdf6b
2024-03-12 12:01:44
1
60
250f6828737a01cc19d04e29eeb9fccc6cd0a43212728e6ec2d9b76a89890bd2
2024-02-25 19:12:13
11
59
ff9ef26fa3b0b76658a8c6696bf2f9d23f132d1d422050802749134c446f757e
2023-12-20 18:38:16
8
60
7c53105a31cf1b868f3e8c9fc96e1c3ffcea651faad1a86766a1fca6d55ed87f
2023-12-19 05:02:39
25
72
976d037faed24f688e7a7b2f37e18dea68911a8b02603568e60469db8273f7b4
2023-11-30 11:01:57
3
71
d48d23a17f7b3b4ea1fd2b247582d90f9f593320a82b1d03dca956b7b3279cb1
2023-11-21 11:04:29
23
70
fc4525cea0b9c39dcb90be2946199c25e12ad4fbe0ea4c2e70364006fcb29aab
2023-11-04 03:38:53
8
60
af1c04051180e61745b676d36bf583a9e95995a810bba71c26d6366fc4eedb6e
2023-10-22 20:17:16
1
60
0502ec2a6c893ed6476bbc7dc06b156169eeea252e5129eb083c0c00cc49764b
2023-10-22 06:08:18
2
59
73a9bb603c20d3813a9bfe66db1c81c3e5874e8a9f38f5e37b74dfb819d847e0
2023-10-22 06:08:11
2
61
5251ece641772f6655cc715aab28d827eb26301d2351cca03e586651dcaf1e6e
2023-10-20 23:24:40
5
60
7532ba7f9cd6a693e024cbab122636630628539d2d20017b10938cecd102ed3c
2023-10-20 23:24:39
1
60
e94cc47df41dba60d83430eb026713b8b2a0e2a087990ce089d66f8540f6597f
2023-10-20 23:23:23
14
60
990e3a113d8bb3204699650b62dcaa1187a335212b07b68036eaa27c0065f437
2023-10-20 23:23:23
14
60
1940b877ab4114ffcfcf29fdc267cce4ace50e8d41290449d9f33783efae5efa
2023-10-20 22:24:21
1
59
25ce5f5f6ecc016cf5af64aaadb14c650abaa756a9f9557410603e740bfa2ae6
2023-10-20 22:24:20
0
60
adde7cca7ce73a7522093a0ed6b67279cc2c68ca57ce9bf55cebda48e48a8278
2023-10-20 22:24:20
1
60
f8109e25a9183bebca31a40615b464e7703bf21d79ca37256e889a438e3dbb10
2023-10-20 22:24:18
1
60
89b1b9507d505501812c35725e054cf85fa8094fe74995508885fb3a41df9347
2023-10-20 22:24:17
1
60
82ead699baf150019e92618af1377a5c395522d9240e0c934b8040ae1b70ee81
2023-10-20 22:24:17
0
60
52b8887e58c160ee1be12e1f9edd5ba52e2712d709f77a6873d7434fb6e04912
2023-10-20 22:24:14
0
59
bd1a671d9601657e8ca6f4ae7c1e3756e6422082821ccb7ec3c445a3eb7356d7
2023-10-20 22:24:14
1
59
8aa70e28f14d00f19d736da072582b5851f1bc9199891ddd726dda85f9c039d4
2023-10-20 22:24:13
13
60
3742d3b22c893f996b3fb32b88bde587e8d0b13f2524510eb5eddaeaaa82f85c
2023-10-20 22:24:13
1
60
06424d4010180e1886fb3e88f0685a2d43985198909979c3312572d526b7a367
2023-10-19 19:25:02
2
60
b1e9da267f3a007834993867b41eb5ee1063c83ad3797cdeda6864724b285a65
2023-09-28 21:23:34
17
60
49da4a08232802e9fa5efdd7bb405b145d9e188280bc263975bdf83dcc2fbedf
2023-09-25 05:33:32
10
59
77b83b09f13c109a177c46e4d91151c7eb7b241f5c606b201d8cbdfa55d8229d
2023-09-25 05:31:51
8
59
be384e48121ed8e6878556753ecf43c639f84306374a26992514267342dcf91f
2023-09-20 16:54:23
2
58
17405e9f8f889925521912aea72467330f3dffeaf8ec8678ef6f412204262896
2023-09-20 15:36:52
15
59
4e2ff31c0a475fd838ab7aa96b32f1c4e4f6960e097ea0cd2f4e4dab165edc45
2023-09-20 10:49:32
14
59
876e0d32864ef6999d52e4a73ca8c2fa3342b26bb3aa86f3f55888a6b65fb076
2023-09-18 06:08:36
2
59
d295b2db5347e6873ef32f8db3663f601be989b67f6d743e100541ab80124d5b
2023-09-16 19:32:49
1
59
9976ccb1ccf473072227b28d4825cb942c41ec08ddf6b1ca3613e0c989a25f65
2023-09-14 18:34:28
1
59
3f8a4520c11d2e57f228a8bd26a370ac71a9f12823b50de93df5e44bae42fca9
2023-09-13 22:23:14
28
59
7f8f8c82fec8acbb0947a192dd5cbe8b95ffdba4e252b582eae127f1c062399b
2023-09-02 15:17:00
1
51
2d64c375ca793ba18c627b4addc5dfe992ae261b3832f2570e775d28c353e751
2023-08-29 20:23:44
1
53
adc0c92429773ebb606ba3aa88f08aa0be4b06cad786f840ea3fe558068ab3d8
2023-08-28 17:24:15
2
56
174d4436f0624ac63c002e4c32bbd8e52988f836e48ee763f4d08820ea81a0bc
2023-08-28 17:24:09
2
55
3be8cdb350b626ef9ed04634d597de8e7bc5bcf0fa0f99dd132263c7f88f137e
2023-08-28 17:24:06
1
56
0fbff6e9d44dae082b3b8701dd199b4096ce4bf87a0040bc952d9cc8fce25059
2023-08-26 06:13:08
13
59
553d3cb9627eeb1ab87f75f743b357b6540ed81dfa0b1cbdbbe375de2d5ece19
2023-08-21 21:04:16
6
58
626696864c651682c5ded75794ba4fc281bf393dc79d0f04b4a7e07e340da958
2023-08-21 14:29:32
0
59
9e970a91fb3314f5e46403d43eb0b066a7e88b1daa6e51d0e723aef381ee57b1
2023-08-18 11:18:50
1
56
2dc7253a7ff02176e5334273f8dee1446697f7a996ea4b63164468e921b1ceda
2023-08-14 03:24:16
0
58
1521435d9d3fb9dc5b08494130f2118b073a6bc6dc233e3ec404225a57b9c4b3
2023-08-14 03:18:24
3
58
70ca31589a8d5340797656a06b175a351f689b45716114311bad0ca46054a3f5
2023-08-07 12:46:32
15
59
4342d531840c988544e50c3eab63171fe7ead690027515112685201c849ac032
2023-08-07 12:00:45
12
59
4227be722f723cf8424e63c622325bef219bbae5f57aa78e37523913c63559de
2023-08-02 15:53:14
0
59
5ab4a60cfecbc66c01c0f6b131fe131bb9b2d3065a737a7dbab7b17d57f6567d
2023-07-28 07:23:37
0
59
d78492f615c999c97726d01714b68792c806d272eefab3cb256f064c45d218aa
2023-07-26 10:20:03
5
58
d24eb6d8bab508257a9162d5d4cb9a025ce70db70c9cbaa1972b3f2bf827290b
2023-07-25 20:22:36
4
70
5fa7451665cf54e1a00a7aeef603c7e44dea9973b001465547d0cb574ba6eaed
2023-07-22 14:22:57
19
59
6f8ead11bc60dc89619d5dfebc63a236b11b2f65da9271b81a2c751baf8768a2
2023-07-22 14:22:53
12
59
839efe795483d1c6aa4efa11eab309e6e232e181686e39cb27e18784a17d9e69
2023-07-22 14:21:28
0
59
40700c3c5b8b34e105d09a5e25b920e3340ddde754a4a4903f9fab9a2743ef6e
2023-07-22 13:52:53
0
59
0d35a6f9beaf6c9ba0335deb6340a0b0327f0658f7b5aa06697e328b73f4cf3b
2023-07-22 13:51:43
0
59
14c13ceedb2757ef94bc245ebd2e64702caf49205fb16b6c74449e7c362ad451
2023-07-22 13:49:48
0
59
ce91b25495792bab27166e715e7fc9b644a95eff19f1eaebc107de79848f640e
2023-07-22 13:26:27
0
59
3a041d9895f02a108eb33386dafde9c6359f471572f48a89bd65b47fd89fbd5b
2023-07-22 11:07:16
0
59
b7599692fbe6b32997d5f34006ab30a2f5e760dbe797d9e5c86e794cb622761e
2023-07-19 11:38:51
24
70
1a32bcfc64e8f7771a2ff46d725dd8796120060d36067e8ff4d02dcba9c56b3c
2023-06-28 16:39:51
15
59
6c9e099595f3bb25eb930cd8b407742c7ca3584ea590fd2e0a08bc551a90a720
2023-05-24 22:09:27
30
67
92d81f9749f74883a9e7a8931d5451985087c6b8f34f1248f969c309a2ea5703
2023-05-24 16:18:58
24
70
676f7e0355c51006412e9efc876026e0a910a8acbad18b7760cc33e315f7f19c
2023-04-19 19:10:43
21
67
635eed5e86f6aab866f0d752eed951a7294c66fed23f3c7ebe5c47628ccefded
2023-04-19 19:10:28
23
67
8842a041d1c456d7ac7d1d4dde8511c22360f4385701964d711b5446a2de8713
2023-04-01 11:10:09
15
59
52759d8fb22795e54b19e161f0c91921d97ece23f5def44accdd157fe3daeed3
2023-03-29 20:29:05
0
60
70a2a3cdd26b039aced764cffd4acf91dc70bfdd17d32d9c7e41c023dd0d25c9
2023-03-14 10:23:35
12
59
bf3692592130cb0e117056d784ae858b33f673235847ea2fd41fc8497975e3a1
2023-03-06 21:13:26
14
59
f827e9f42e61f15f0a611238060e2ab496b8c4d19510a70b9c437c36bfbfdb6f
2023-03-06 21:13:10
2
58
fdc05d876dab954a5b8a162292e4836514cbd2985a800be09dad0a4083d25d6b
2023-03-06 17:10:28
2
59
fde676700951eb0e3fb41a919361333787b36bae5d942b20922412f6dd74c7af
2023-03-05 09:54:14
3
54
968b7931b716c85cfc46164cc9ec3f570d777532dae92180fc6d255eb544d329
2023-03-05 09:48:33
3
59
0284f0992ac5573f29f791d77bf623af11f5f75eca017872ffeed5e6412c4fdd
2023-02-22 08:05:36
33
69
69512cb3c245a4ea35721969a832746b57e5a52a4eed33bb14c67d793a9df224
2023-01-31 10:12:36
27
60
8780ce6fb21d5e4597cee509b1cf6c47bed007f6eb1a08a0a7212c97cfcc32ab
2023-01-31 10:10:47
21
60
9a996306342981ed15c7715f38ba3b2d65713b0778f8343f57356f114bb25e86
2023-01-30 23:33:02
19
67
9a096d55448310d2c87e09bd48d1f6a64be63ce1d1adfc1145a3ca9c002c4ea0
2023-01-04 00:15:12
16
60
caf35ea9298dd671604af5920dccb89362fee4a67b24f8bfe73e12ceedc91504
2023-01-03 14:12:38
20
61
a9da2bd0acb71f33e35271568d357cd8c2fd7ca86638e519ee7f051aabc5ab23
2023-01-03 11:09:05
23
60
508973b0475293243c7c83cf2c19087d640fefdb152cba2f2d30dee7ff274494
2023-01-03 04:39:49
21
60
4d699c03048c59cf28689acfe8abf527734fcc097e4a3ad75cb21689e63490a7

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022