SUSP_PS1_Downloader_ProcInject_Sep21_2

Rule Info

Required Modules
[]
Date
2021-09-02
Reference
https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48
Rule Hash
4eeed28ae49935350d0beb7fb8c1e5c4
Name
SUSP_PS1_Downloader_ProcInject_Sep21_2
Author
Florian Roth
Tags
['SCRIPT', 'T1105', 'T1086', 'T1059_001', 'SUSP', 'T1055']
Minimum Yara
1.7
Score
65
Av Ratio
15.52
Description
Detects PowerShell script that shows sign of Downloader and Process Injection functions
Virustotal Matches
https://www.virustotal.com/gui/search/susp_ps1_downloader_procinject_sep21_2/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
7
Suspicious (< 10 engines)
12
Clean (0 engines)
0

Rule Matches

Timestamp
Total
Positives
Hash
VT
2021-10-11 16:23:37
58
21
c0fefd788e53dabb99da6c3f1f9d825b267f2049bbafe300b8dc90fbceda9241
2021-10-07 17:15:16
57
13
c661cf4d7f62583640ffc8e46806bb86db2e3a10241c0e268d2d42debde36a10
2021-10-06 11:40:44
66
3
ea363c85790830561c0c20cf216e620de46d5fa7e6ce4be4e318d436bdb4440e
2021-10-06 11:39:34
66
4
e6f3cb9f0ddeec9e4b151d5bbfa932540a671b8de526c66e9b92f7dff0a14e74
2021-10-06 11:38:26
67
3
66f5a396e83dc37bda451dad6341dcd52a03480bf4ad3942c7b01b79bb8b64da
2021-10-06 11:37:15
67
4
38c3ea77e59e4f87728341e5f29bdc963ce58de32bff40dce3308e1b57bcf785
2021-10-06 11:36:06
66
3
6670aeaea822824474b5ed11fdbe8455c0b585cdcf22e5f983b260e984a5c138
2021-10-06 11:34:51
66
3
00ddffd3d37f7992833a585f8fcbcedf77d69560a4ffa1b66325dbcb859fa221
2021-10-06 11:32:40
66
3
5a2e04f4ec57d589d1ba95033ba49d0786f18cb2f58131c787dfc02d84c7cf1e
2021-10-06 11:32:33
65
9
23dd926a9df50ba2125b1af30d88fdda0268031f21ac4235394feb8181f6371e
2021-10-04 16:25:04
57
11
8fc047fe0e9976e6ffcc29e130904cc3f6e97224e8fd5ce53c04ac482007b4fb
2021-09-28 13:50:31
69
26
1d38b2ecfbc484b8c01d1b985c458f581e940e26a39f11efd02dfdfcb122e254
2021-09-21 15:32:15
67
5
cec1832ef42110bac8363564619f1532c1498894038c476956a9a116ebfa23ac
2021-09-21 15:32:11
67
7
f04287d2a87709ce3193d8d360842f225b277ca65dd1d1111cc2d881bbbea5e4
2021-09-21 15:30:55
67
6
56b928fa95be1eecba621cf4a756fa62fd6067aa5056da1d1e643726066d4003
2021-09-21 14:32:37
67
9
f0c9af007404d0d0752287e284d079401f920b18ed1980bece67326b32d31718
2021-09-05 16:56:22
56
11
52a03288672a2aca8f708b593d95943125de3bb0d69917b86a43d22bb1db42bd
2021-09-05 16:49:00
56
17
765938386d68d2f8f5b005a9c978206010c3b4693ee3d762689401b610c4d6f7
2021-09-03 09:30:46
55
22
8d09e7f354fcf13af9c47729ae09646295ff8ee51d104641d2054ac2bb280e78

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020