SUSP_PS1_OBFUSC_Apr22_1

Rule Info

Description
Detects suspicious ways to obfuscate PowerShell scripts
Reference
https://twitter.com/michael_eder_/status/1514344964259516428/photo/1
Tags
['SCRIPT', 'T1027', 'SUSP', 'T1086', 'OBFUS', 'T1059_001']
Date
2022-04-19
Required Modules
[]
Rule Hash
25f127a7ae18aa63212a119920928ace
Score
85
Av Ratio
13.43
Name
SUSP_PS1_OBFUSC_Apr22_1
Author
Florian Roth
Minimum Yara
1.7
Virustotal Matches
https://www.virustotal.com/gui/search/susp_ps1_obfusc_apr22_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
8
Suspicious (< 10 engines)
20
Clean (0 engines)
6

Rule Matches

Total
Timestamp
Hash
Positives
VT
57
2022-05-25 03:12:48
233d785a077c50ad57de73da20e8696258a99edbc6961b92530dac81aede0bcb
3
57
2022-05-25 03:12:46
3851e8ea501c2fd5e71d42191bbd603ed3f1945098058b8a53224f62139cf242
1
51
2022-05-12 12:19:47
d4a01bfbad61e01ff624458fb0cdf73f1cb74592e1aedd17c7458a01b6d7b620
1
58
2022-05-12 12:01:29
4b71b0f083647adc164737558db574ee52b6820035a897e97744fdb2b17608cf
1
57
2022-05-12 11:09:24
ebf9ccb4e91a2a6f4ce5786f03ec2bcd8af65964b4b3ef86988b71aebe6030cd
0
58
2022-05-12 10:54:53
55d885514415e69d6b228fec66a0302be40cbebbbfb7af6b528a93561e4a5a5d
0
58
2022-05-12 10:53:49
5c1a1cce7175ca8119b81dd845bbf55ab25fcdd2970dfff1e119651e30cea3b1
2
57
2022-05-12 10:50:40
f04f753b6e2c18860f3c50543ccc556c8b464b34a1d0d8cc9465d2cbeb430c54
2
57
2022-05-11 19:51:39
40109c58ef027a6d1d08a623a5e5b83c108ec0214a8962da738d1da3ab7f243e
4
58
2022-05-11 19:49:45
2395bd719d1f17ce57c94dfbdd62a503bdbb0d396d7a54f2ee1967b38cf02cf4
5
58
2022-05-11 18:09:12
397138e6e062ec9a75e80fcbf8f1d38da8eeb1e12d62f707986fd22030da616d
1
56
2022-05-11 17:34:07
55eb5bd9efd6d9bd8ea0789dc2f769672e7cee76263a295acd284065fa2c8396
2
57
2022-05-11 17:31:34
f93081c53e21015cca003ff5cc2eed910f64f263800f81874f2577d6cb0d5cab
3
57
2022-05-11 17:12:42
58b3468ace6d861d1821e1de7a5c9f5dd74f8fe4c6bcd7feb5edbc5bce406d27
6
57
2022-05-11 17:11:53
6db09a29a63809ca2d7355a94bc78b42d907a56e770745e251d27e5418e0ae85
6
58
2022-05-11 16:21:28
75080ae23aa3046f260532cfbe07073884aeb86bee584a8dea7e958920d8c6ee
0
57
2022-05-11 16:21:08
b0c57d2f7cbe06e362c3d60849f677677055e815cf0fdc62752736d2ea087177
0
58
2022-05-11 16:16:04
e0794e395d817b88bc3da1e84e2ffff10c31f786c1810e95e8fc0c65f942b63c
5
58
2022-05-11 16:11:26
069f09967cc96b0252bb4dd632e5ad5ff4299a9a60c4a85c415fdb684f1a26bd
5
57
2022-05-11 16:10:11
986c9f103606627d8e86b447652ba0d128603335c140242a4bacecc6ee71f5b9
0
57
2022-05-11 16:09:33
3b4d4efdcef30e13bc1b5aeeea2e2af1b08db23967a1b4cfc355864fd4e00a22
1
54
2022-05-11 16:08:46
81ec676d2199eb9aaa85b2f847c85c2c8ea289137c9fc7815aebc4d018fb0f63
0
58
2022-05-11 16:08:37
f90dfeb311a8f47eb461368888ca54bd07bf8c0c0c1d737161ac4f00f8d4fe3e
1
57
2022-05-10 17:09:59
d6129287f6bab71f408e0e73ce62e4112b84571a39d4a5c1f0cc30c1fc193609
21
58
2022-05-08 04:25:36
bbd5e7c37a5597fd47499548ccc58d1b7e5871318a50884369af69493d78cc71
16
58
2022-05-05 12:55:41
53d9908c6bdb0019409fcae2beb2e37b6bf86900c1c6ef4d290180129d599f2c
9
69
2022-05-03 22:34:10
02d83d34a68c57c5885b045be5d8e9d21593db26ec734886d9f2a7f875570908
48
58
2022-04-28 15:22:38
357c6936254219b1a0ee693323c792d0fd0e97250f71923aa72f5f863457c065
6
58
2022-04-28 15:16:04
23c1a8fd1e9c04f6c2b831bf46e55c7f991db374d881eec1e3543491f38f113d
16
58
2022-04-28 15:13:32
0813e5b3ff097310edcc809106d9277f253ffcdf4f7700d278fe8e68c7e1f332
14
69
2022-04-27 20:08:26
03af8606f036102db282e942041a99c22da91b6d0d7f67ed6f833bb05616fcbc
43
69
2022-04-27 20:07:10
0290f2034aa6de3cb2db5deb70a2cfaada85dc77f588b5ad551cf268edd40f67
45
58
2022-04-24 04:13:31
86bf18f49a29d5c37c053a4e48c289040911ff58e0ad729fdff6e5030c369162
16
68
2022-04-22 11:36:24
29710cc4ec47602db0fec6afda095aa6d69d5d8d4008c731dfa3bb3ee76d42cb
3

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020