SUSP_PS1_OBFUSC_Backtick_Invoke_WebRequest_Jan23_1

Rule Info

Name
SUSP_PS1_OBFUSC_Backtick_Invoke_WebRequest_Jan23_1
Author
Florian Roth
Description
Detects PowerShell code obfuscated with the help of backticks
Score
70
Reference
https://twitter.com/wdormann/status/1615436244988891136
Date
2023-01-17
Minimum Yara
1.7
Rule Hash
1abe1a6dfd990dbc0da26f87381e2f14
Tags
['T1027', 'SCRIPT', 'T1059_001', 'SUSP', 'OBFUS']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/susp_ps1_obfusc_backtick_invoke_webrequest_jan23_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
12
Suspicious (< 10 engines)
44
Clean (0 engines)
3

Rule Matches

Timestamp
Positives
Total
Hash
VT
2024-03-04 10:16:35
3
60
cb968f7e03f4623a3df6c4d13ce590654db2829293f91de38f3337c2efed7ee7
2024-02-20 14:02:26
8
60
1067f11b520ccf379dc5730544cebd7216bd7e5e0639b60f19c877a1c66a1f60
2024-02-14 13:25:02
17
60
7c1b6114c9be9396b33b9c5ead39f74abb6e518080575be5a67d10c4f6f425cc
2023-12-25 07:06:01
17
60
b1d9ea6bf9ad5f918bb7ac25dcf8e19c3443a97cd22a44fa75f9fdaec4d0e227
2023-12-13 15:27:15
19
60
9185d9082da472ef824bcf85534e699a2dd3d6c5851b48ea742be948f2a72ee9
2023-12-10 13:20:36
15
60
abfcbf2ecda5ff5738b27b00b68162967c17d067cea8d7ddcb22f9cdd1462820
2023-12-01 11:42:52
15
60
84713ff395bef5e92be88befe28561865025a0120a050439d2ee2780f1c2ea58
2023-11-02 12:34:49
10
60
9493404736a4601ddacbd29cf357f377f3e612f6cd7a5c79a1ecf9ece606defe
2023-11-02 11:29:27
10
58
40f6a0ffe6ef03fe99854aac6da97f546e499adf9de5ba27e6db3bca655feb13
2023-10-31 18:00:13
6
60
8e43a52f2b24e848e9f4d3fd9984c76f45376b206e8f5591e6ef7fed5aa570b2
2023-10-31 16:53:41
6
60
347849f204f2a565531801659f3bf8079a52640b8ed9a02ba4bf69410797240a
2023-10-30 17:31:02
8
60
67edfd5041101338792e0bc16411c25d5917f6e4f604b5e6368b3b306d72cd25
2023-10-30 14:26:07
9
60
4c61c73b90b8a8f1a42aea7e66cfddf139cc535824e2060a991ac1da6e04555b
2023-10-30 09:04:20
7
54
e8ebe34fde816754542c72121bb304c50e821f40898f7f36f12ec6f71150178e
2023-10-30 07:10:07
9
59
6f9ff19c5891aaed92008260b7c0e6620ec923959312e36d4bca796d6dafef19
2023-10-26 14:30:38
8
59
5c5f7d1579d893f13b4bd09c53c0a66e2a31ce6e45bc00c52c38fac127cd8901
2023-10-26 03:14:03
8
59
f8bd957be422de2cd613745f9f619849bed022e8ac274bea417f7e4c8ef3add4
2023-10-25 14:30:31
8
60
73e5fee93689200a1857d8574e79d8fc3bdd4ed2317bf9944e7196c2bb5b40d6
2023-10-24 08:02:05
8
60
2f2842f736646ec52d88b722a70e7a11c782484433a8510880ae2f9d89fab0af
2023-10-13 22:25:47
6
60
2f9467e045c4fcdc9f2fc7ea293e77eeffdfdcdd048134a80a686bc374783fd3
2023-09-21 19:43:32
8
57
10729781e8121613043488d04c95b15b703bb118c88e0c146689b8cee5d719d1
2023-09-10 15:28:25
4
59
de71eb3aa5edf87d9f609e3a47dd7265c7156a311754fd6648d843a6e1c1496c
2023-08-29 07:09:24
7
59
6a9ccedcbfd591c1d3998a96fa79adbe494ef07b1c0e2e11249668f5eaaa79a6
2023-08-21 23:31:59
6
58
c7ef8272c99c39d113ab0cb8cdbc217a9a74bf45a9317f2c7a60fab414c98255
2023-08-16 09:50:29
6
59
e656970626e43d6a180e6ba89757f8171530b87e3d285ad63915884597fa10ad
2023-08-06 00:23:16
6
59
766e47b33052e30fb4d17d545056ccdca1e345eca863d216f4da64579b27c7d7
2023-08-05 23:17:40
6
59
9e1e4f62c380e02f3f74aa596ec5d76781747b4b4493f5f29cee303adfddd5ee
2023-08-03 03:19:04
4
59
a8a4bf8d047a131a24c1c9e5c78dab5fe2f56dce030c68aa2b31e3252109c90b
2023-07-30 21:59:33
0
59
5cf033157f63781a190b43d5dde427ccbe16ecda7cab4ccee617bd2d24e6a081
2023-07-26 04:12:18
1
58
60e59f317e586cf39d3be0b19128a919d7f8aa07d6f2d824e2d0123d2d12d0a3
2023-07-18 01:24:03
4
59
f57a22a7b0b28d0636cf0a9f79754778ea8660946db8236fcdab335d0335aec4
2023-07-18 00:15:00
4
59
3d8afeb666655eb0d84c6cd6ae5b102934a205563543e965ab1f4cc35f73639e
2023-07-14 06:42:39
6
59
c74e2fde17a63bdb74c90acaee272205027b954848c5e8aedd002e1217494adf
2023-07-08 08:02:38
4
59
5f3dccbf2aa2d1136bd50e6073785a0e48ad34b8015dca7d6b503554f2108575
2023-07-07 03:22:06
4
59
e9165fb25b689c5a8f43bbda294c434e4043c77e3a199f084ca7e464ecf50776
2023-07-03 12:54:45
4
59
420e32178f1abcd209a53d24f00ace38280e006d5fd12c753826ebcc2a9aab6a
2023-07-01 07:00:47
26
58
222e25b0f134da990e589885b97f6246091b1c9608db76232d96cfd1d7781ace
2023-05-12 09:11:31
0
58
b8f7f7e8a209f6eae1ddecadfd44962116b0393fc99a37a157c455a60dac7e42
2023-03-19 19:15:50
11
61
72a5b592e34ec6de2c053988a7ce3218ee2249aae192f3c2056ab51c17c86d5d
2023-03-14 05:12:34
4
59
5c0c2d165cbf9c2e3bcaed162431ac06ee6fb2c483cef4c2015d41af717d595e
2023-03-06 15:22:18
10
59
b98602d81ebec7343c5d313bef07587ae60ab6b0319f1ff52426440396b75d0a
2023-03-03 01:18:10
2
57
3e2140564b5f632feb01cbae6abf9afe4e2b100e56ce6ae02188f93c23beaa2c
2023-03-02 20:33:56
26
60
e82ecbb2d92e3ce22661061ee68c73b5c97000cfcb08b1ace3c898c4fc936f53
2023-02-18 14:56:12
10
60
25676c23df16aef57edd784defdfd6427129d1bea2f607261bdd1820ac0447a8
2023-02-14 21:56:25
2
59
098c28003bb865c34fe29d9a140cee6b0b580b359d45fde37d2be1bcb954ae4d
2023-02-14 08:15:59
6
60
05e6f7a4184c9688ccef4dd17ae8ce0fe788df1677c6ba754b37a895a1e430e9
2023-02-05 16:31:02
2
60
8695204738c1a9b47db85bb421bbed7eca9de9c072b9bdbe73164ed76bd9c8b7
2023-02-02 15:07:04
2
60
558a7f8ee8b5b9e7bcf7e88d85b2bc508b45017507ff3dadc13e5315a6bcef11
2023-02-01 23:50:48
2
60
3184ff10b01032a8920a34f6119e42609b4b1af8e0f62d106f2f07803605f18d
2023-02-01 23:44:17
2
60
d9de954f521e5112f0ffc4d972132f27770838dd20ae4b863395c42519b44595
2023-02-01 23:02:44
1
60
f3b1dff76cceba22ed7ac37e7b56221ccd64e0f347d256872ab85e054bdf4097
2023-02-01 22:52:50
2
60
ccc34121b1695a03fe2bd0cbde598a175fc8c6a9c9d1037aaf7a9d695eaee875
2023-02-01 19:22:35
2
60
de819d807fcda5b13512fb36cb252c4b1cedddfa49d6e1728d718230862679cb
2023-02-01 19:05:02
2
60
a9d4f08bec17dadc036f56eb09d11f6b955928dda5848fd52e2d64ed235d4796
2023-02-01 18:43:51
2
59
6d94d0b283509a5e21c50e8c33cb8b85ec312e3509ab98f7f15b8e7d0b7128f5
2023-02-01 18:42:41
2
60
1ae1639ffee57bf0734b93de3679a9b0b8dea33bfc1a2d26fa5e726e6c81c995
2023-02-01 16:47:56
1
60
268edcd5390845730538669f29d28f6fd3a2338da65f9b972728c44eafd5d1db
2023-01-25 09:06:27
2
60
5dcdc3119a4c8d92ffe4afdcd462109a4123ab4d96a0b29cbc959c9194a694c5
2023-01-20 01:32:42
0
60
3966f749dd2ef9632244aff9311fb68ece91eeb9c76d45d73db691b292529534

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022