SUSP_OBFUSC_PS1_Quote_IWR_Jan26

Rule Info

Name
SUSP_OBFUSC_PS1_Quote_IWR_Jan26
Author
MalGamy
Description
Detects suspicious PowerShell scripts that use obfuscated quotes in IWR commands
Score
75
Reference
https://x.com/RedDrip7/status/2017053456037806359?s=20
Date
2026-01-30
Minimum Yara
3.5.0
Rule Hash
82b3e382ae0a22f9852f0b22b47d60cc
Tags
['SCRIPT', 'OBFUS', 'T1059_001', 'SUSP', 'T1027']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/susp_obfusc_ps1_quote_iwr_jan26/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
8
Suspicious (< 10 engines)
0
Clean (0 engines)
0

Rule Matches

Timestamp
Positives
Total
Hash
VT
2026-06-05 22:18:26
24
51
a8ecbd9c049044ca4990a0e5960d19ce782a3b42d7763e9693d7c91ead24a0b7
2026-04-28 17:21:45
32
63
9b2637b8fefeedf8dca8a0ace491de05b6d937ea7463b48562cd1a0f25abb9f5
2026-04-15 12:28:04
15
63
045d995dee9b3fba080415be55c932f245582c44d70243fc3fbf0174fd3495bd
2026-03-24 11:14:15
18
64
75749c315f39faf32ab6758f3c1cb0cc992150ab4a3e841a3afc5679bb639ab1
2026-03-15 11:21:06
22
63
acd8b83f134a42f6926a30cc27aaf4f0b4085503c21dc4b3fd8656282eacba77
2026-03-14 12:30:45
29
61
d1a9ad4186abdb66340dcad87833d30ea8ecc977f530163ad10e053e9e37cf5a
2026-02-18 14:03:44
30
62
4466995be863ec4405fc053296cfe74d0098f94e61aa89c95fa2cc80c8ad6cb9
2026-02-10 07:45:58
16
64
24e16b13be82a21d4ebd38715deccaf55d34023507918825f40e1071c8da92a5

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022