SUSP_PS1_OBFUSC_Jan22_1

Rule Info

Name
SUSP_PS1_OBFUSC_Jan22_1
Author
Florian Roth
Description
Detects suspicious PowerShell obfuscation noticed in malicious scripts
Score
65
Reference
https://twitter.com/ankit_anubhav/status/1483767279141945349
Date
2022-01-19
Minimum Yara
1.7
Rule Hash
f86ac1d2151d78afc0f98bfce443bb31
Tags
['SCRIPT', 'T1027', 'SUSP', 'OBFUS', 'T1059_001']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/susp_ps1_obfusc_jan22_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
27
Suspicious (< 10 engines)
61
Clean (0 engines)
19

Rule Matches

Timestamp
Positives
Total
Hash
VT
2023-07-18 09:38:13
1
59
e421e9675c0e0d6503be80c186e6014a036eebac68e9212d7826df836c269b84
2023-03-06 08:26:12
11
59
a73b6ad9115d8be5cfa9bf2cdc22433ff863e66827647289054f5ed0c9bc7d0f
2023-03-06 07:56:57
1
59
17be209c7a6106bf4b58b0a06de487d6366140fb72340c7eb0fc6396a675193c
2023-01-03 09:08:50
15
61
4433b81c19c22007b1e92ecc023b19e2231566ace524b9e5961750f7fefe0dcc
2022-10-30 09:07:54
12
61
1166bc4f821014ed25cdec3e79007e784f3f0ca266e46ba63541a80a0d17cf2c
2022-10-09 10:18:56
14
61
6275c27c405a5312e8fa6f32002e7b46b5c9cb2f3cbb4274cc15b64cd45fd283
2022-08-14 11:02:40
5
57
19f99d74a0c947fde8a82ee0777f0a048d63e9fa40e49f3fc80c61f0bf27d8f2
2022-08-04 06:14:32
26
60
c3dfa16f500e898de1915893a030dab6673f513ceca796ffb6b3dd8cd41c12fc
2022-05-31 18:47:22
7
55
ee3b99dcc90d1cd9229646a73fe35bd8d5fbb7676f88777602c4946acb55111a
2022-05-30 07:00:39
5
56
5419012191870c4503d001328b72620e9f012364c5fb97794987f4a5b6308280
2022-05-30 06:51:47
0
57
bbc5e169ebe2dc572447dde652138bd8f538d441a1847030525981b444218f8e
2022-05-02 23:54:56
18
59
f17e806224cf64206ee28d0a1cbd10fa2c6d8e963062f55673dd5f98bfe06494
2022-04-06 00:22:03
17
59
edf04bbd6dc4d9f3dc84d829fb7623b0172235e50631610b1f742d7a348cc133
2022-03-30 22:26:43
12
57
81c9ee2eb3ad8fcbb954cc40080e29598e30fc0794d9a32b7e546870dddb2047
2022-03-20 14:41:45
0
55
3f000d0d1773e02314cf3e1817bdc59c5158d2d1faef3633e4f8bfdd5f3b176a
2022-03-20 14:41:44
0
56
05defc7876827cdd02d90600350f03b8f9fbf092a961624eaea71b0127dbcca9
2022-02-26 11:56:44
9
58
ba28fccdc40b91b669073ba51d0701769aafcab77065c3c2fd3f0cc41741a239
2022-02-23 13:33:50
1
52
a001239c01c244fdbc243c4113c86067138d6ff62b3f28e0b63b69aaba916179
2022-02-23 09:45:57
15
60
e4e95269b819e57939176796a2942c4eda1edb9f42331a41601359332f9977c5
2022-02-22 17:19:36
7
59
623370c62b36a14b166fae3d646b2278e4be5ad04146c07041561c2c9d1fbd5c
2022-02-21 23:20:03
7
59
76fa4c7887b84dff00b3c1890832f200017d0517a406619fa905aab9e77d319a
2022-02-21 20:37:06
16
58
7bdc94417c123afdf60f97d0aac69c24e50c5b0c218e81afb353ed4b14310e93
2022-02-21 14:05:56
14
60
d2537eac1ae5c46942d2202056d63c1094da4d0be35460e1d6ce0b6dc7aac5dc
2022-02-21 03:39:12
9
59
7588b35ca743821c64ffecb343f5b663b95a56c1a71200fc7777ee2e4edcaf1b
2022-02-17 17:12:17
7
59
98b68fd3207abca9b6195c98b4f4a515fa821c84c83edd3d38a828545684716e
2022-02-17 04:09:39
4
59
947f696a6a356810aa4843bbd616cb3efa88c74d1332fb60fd944ba607ebe280
2022-02-15 09:12:36
10
59
57a4fe17688c25876d347f6422fb0ab12f515f546f08551896d6c096c292d2c8
2022-02-15 04:49:42
9
59
a3e515436fab8ad0f408f2bf5c9eca9b2a0e999db343db9e77a33b2e832a828e
2022-02-15 04:49:36
4
58
7230ae58075c77fc291c49b770c40e74faef3c5b5cbd20f23c0fb9b203f25064
2022-02-15 04:30:59
3
58
a1ec9dbe2ecb8605adb1d74ecc4a361e2f375b7bc927ab11374fe12e198132a4
2022-02-12 02:36:57
9
58
ef0a46ada97bf8dae50a8ac0dbf4e935b92bb40c3f051912e0e9caa7198598a7
2022-02-11 18:11:53
2
59
46bb0baf703fd98408af22a2c0e1435fd815197542a80dda7b9fa5052dd80f9b
2022-02-11 16:35:40
5
58
155e0905edad19ce2003aca02317f90d0f1f2c5c8442e9173cd6c6e6c1128990
2022-02-11 13:39:06
7
59
dba78036e778d103a14d4565f019a99a3c95ef8d9c2c5ad87474414603a9c9da
2022-02-11 08:20:10
0
57
9ed33fca9e7760da72d1dde8dfef36c20c9c774fec1e88a6edfbe956f9ba9973
2022-02-11 05:38:51
3
54
b83a50666796620d74b5b50fbbd40704468fc8295c5d0747927a9859dd6a463a
2022-02-10 23:58:02
9
57
4d53dde5bc1a4b6adb0e92c18f4b2623acd864fd57572186fdd90b6e514b7bb5
2022-02-10 23:03:10
6
59
a9afdebf1cff70ba85167945fcef53eac7ff0b9acdc90fdcb89f77d5a4aea440
2022-02-10 21:20:03
0
58
374823f3aa8416b009523502b6a7ca40f95e786e659c6821705b9553761d65e2
2022-02-10 21:10:50
1
58
507c6d13d940584429c2f55b2e5ba4a01c4a964abac41c704ed3b80821ff6f52
2022-02-10 20:06:41
5
59
d1a3d1aed3406a863a23b4f3449d4f4902dfcb32af3cc0d7474c43df1cce183b
2022-02-10 20:00:03
5
58
4e754baebee1544d1cb5173dc749c97bff56f82c5e6467d454080df1a28a3a44
2022-02-10 19:57:30
5
59
d074c74b09cb7d64c8647b8da0adeea4293db6abd5d0ae4202cef511252acf1b
2022-02-10 01:16:44
10
58
c1f70eea3a5666816e6c4010beef0851c65a9d7158ba396bcc06aeed2b56926c
2022-02-09 23:09:31
5
59
dfd2ff29596fa87ae4b2e1fb73b7bad9e2493b6a194e785cf5df695668a0e3f7
2022-02-09 20:21:28
8
57
9267666d38d5436a09508310df9a9c3433b7cc83e9180b2a8d972b5187030b31
2022-02-08 20:33:55
3
55
36516c3e1bbbfb93db92febec17754377857eb1993cecd984e5746620947c71b
2022-02-08 20:31:36
3
59
899d4167e666323134f9c41b688f6e75daacac3de5ea1bd3cdc555a33038c6e9
2022-02-08 04:09:37
9
57
63203d5fa490ac4467049929bfce158a940cf325c09231c0db88a836ddb3ffd5
2022-02-08 04:07:20
3
59
178292fc5dcaea738366c3d478ff5247b5f1e1797e5d125c6d082c6748a2dc77
2022-02-02 19:38:27
2
54
ef8b95aa2cb22b647748c650221dd0ec2feeb7bd14624b1b4e5c2f24463ca3fe
2022-02-02 19:35:58
2
57
b4e361bfb6567b29b468a1cfc3e778b5aa9b390cd2cb38a1995d1c9d1d82c526
2022-02-02 19:33:19
2
57
8655ed4b79c8896531fa9b019942bcae76f86e6abb1a97f74cdb44c5c3a71991
2022-02-02 05:38:15
0
58
7f9061c47c388819b1f4c650b02a5f6e70a22ee4f8b5b31b9bae7e200d083a76
2022-02-02 04:05:33
1
55
845f4287e10379bf26be297b131db8a712bb4e32aa7c8a1b450911c131572fb1
2022-02-01 20:29:54
1
56
3351212f7922d66eec579b27457100399ff63440ac7e1103f3640db7a3c6d9bd
2022-02-01 20:29:50
1
55
2e559c979bc024a58ae9c286285ec0192e8f31bb764cd217659d3e7555f06f82
2022-02-01 18:48:45
0
57
c244b75e31318410871fced0877e4472f2cd4d1ea5e12e72b8dc13d441e4a1ec
2022-02-01 18:48:18
0
57
6073be941427080d2856e4c5ec93fa5603889dfc7e0a59c71ba5dfac38414dfb
2022-02-01 10:12:24
1
58
38533ea492685b868e5519ddd60336e32efb62317db0b348fbf52013eb7864f0
2022-02-01 10:09:51
1
57
ffd57cebb3c4f17db05dfbf01222f56e40f640262a5495636b871f45ad4497a2
2022-01-29 09:44:54
1
58
daf363c053bd2a28c9b71dc9ea380b3d8f64f5d0688456e91fe7ffec2e02403f
2022-01-29 09:43:48
11
57
ed9bfd2ed430642585f273cd89a9b77a399fbc3888406a84262da3f4d09a5268
2022-01-27 17:32:23
3
57
9cbeee34a2f049066ef0e2a42a3bdad6c6f5f1c1cedc25d6f40441355379930e
2022-01-27 17:06:29
3
58
6191a1c03ed4088ac490ebe34574eb961b008d7565aefeb795c43acddbad64fa
2022-01-27 16:54:42
3
55
a523c46db79be3881d0f7040a14e03ceac28c691e18ca50d2c7601d0e406f316
2022-01-27 16:53:32
3
57
6df0b4975a8c4ef26f9269fea636933db9775bd282a92f71334855dd7b6625c6
2022-01-27 16:50:52
2
57
72245cc7636146b034ec07adca2157d3200188282144c61813209e526acba566
2022-01-27 16:50:52
4
58
66b962b00b236eddbe7af1e380232c4d3b88cb126a6b8d41670e253433da5595
2022-01-27 16:38:25
4
57
3ab47fc4a23219081ca4450c531248a3ee4d471d5dd91d69f305ff7dd1905322
2022-01-27 16:38:25
3
58
42d68d6fdc19bdc8f85f9a2a22ae454c139811e81bcb66add1ace7a0e09c88b4
2022-01-26 10:20:22
2
56
41e9c52160ca7421bdd1e34a2bf8086599250cb6623f3d8cf2d242405bddb242
2022-01-25 22:32:19
13
59
07fbe1e7d7af4cfed679bbd4ad1b1fab6b6be6ea82b5db5051a31040ccffaeb1
2022-01-25 22:31:11
13
58
8a290d6b06bac10a527cbdcb1d59933e3a2514321b99758da58b3dec09debd8b
2022-01-25 22:31:11
14
59
d9fd3507c0e6f75f739602a4f1933f7a137533d3975a647a83cab600281a0285
2022-01-25 22:31:11
13
55
7ce91e603f707c8594482eb7d8e0bf72fadba7d6197c38392a8822ceb82b8d5a
2022-01-25 22:31:10
13
58
901a5336104dd1b5abf518e743c4fb0d5119d6c6d6aab15383398ba567546da0
2022-01-25 22:31:10
15
59
173417b3bbb820fdc97cbceadb6c9d6ca3104e9b4cbd9c67b6f60b46c69f8279
2022-01-25 22:31:09
0
54
afdab5ddd84a71c44010721ce58354bf9f45808189fa5f4dfebfc701960e752e
2022-01-25 22:31:09
1
56
bbe62e5998b2561d14468cfe1ef242dcfb69d4c22f8c8c9361e0966f6f70cf4a
2022-01-25 22:31:09
1
56
f47675fec722222a8b8641a7828387f773d1e8034bfa9a95e0b338a0489a5734
2022-01-25 22:31:09
12
56
ea213f5e8baf0e0dd837f4f97295f3ae95349c8381fd56e73bc93a98c7f97cdd
2022-01-25 22:31:09
13
58
53a551ab03eeece9e370b2fa56f2fda943605f339dfc1c0329a84b8337fd49ef
2022-01-25 22:31:08
14
59
757bb7e60895313dbb8f4b5b317f0ef1686844630787c6cd115ad36f19ab7611
2022-01-25 22:31:07
1
57
b3a98545fb97fb6cacb3baf0bc5bf4308690b9c95962c50536771a0fe9ec4efe
2022-01-25 22:31:07
1
57
cbeb3ed413d57183038ac35b8cb83eaf98d0beae4f94c418267dcfde2b111930
2022-01-25 22:31:07
0
57
9efbba996baf44ad3cb2136aa54e6d7ec8a718c50f329192507ee129f607b7fb
2022-01-25 22:31:06
0
57
a3b88221235d1ebfbf4ddb55446628421064b7361c57f8f579e955580d00bffc
2022-01-25 17:00:46
13
57
f20489a8761d0ac5fa584e1b98740298768612e24288aa571ebb7a8aef19bf12
2022-01-25 14:45:21
0
57
1d44072acced8f1f9dc28b5cdf7befab3dc925440666ad0641db7c7ab0f8538c
2022-01-24 18:31:50
3
56
a5eb0c0dc648cfad3ff9f13c44bdc07a8e1e88646e69d95f6b6b8795a610d85d
2022-01-23 12:46:09
1
56
67a0adf89a91863029f74f7d844055368b647cccc4a9aa5a408b567581b20fee
2022-01-21 23:57:57
0
56
4390a86d723733d79d0f01f209bca8731de5d4e0b6f5bde2bc2d8e8074da98b2
2022-01-21 21:01:42
0
57
cfe70e55fb6e07a0e0dbaafd873794024d5347d3453da41194d5262dd43fe544
2022-01-21 04:57:01
0
55
530eaf9da9f167bc6d81527e23466ba6f06356f43f26957fddda719003044913
2022-01-20 19:41:31
13
56
f482409698c0ffbc926399ae7381bf170218fdaf192d7c0184452e8ad20a7b89
2022-01-20 19:41:30
10
55
ba71a0feee372fab197f182e31865c599f9fbce0a846af95fca6e1d4ab6d5151
2022-01-20 19:41:30
1
56
c5d347d920f5cf4f7bbd980c48cd1bb7ee3c24bd7506a32dcd83835f0b983f10
2022-01-20 19:41:23
10
57
9073c1859e4b3867ce03848c686b5980e8c8eb892da7d4034061286cfdd10648
2022-01-20 19:41:19
0
55
e41a13460c941e9ebd52f0f5bf4f91bec027ffe77777c9b382ac3d61654b891b
2022-01-20 19:40:13
9
55
e1275df30f9be48cd7e73b4eca02ab1546c81cb6a8f6d3b2034f3e72f7b237f9
2022-01-20 19:40:12
1
53
d05cdf6923dc2d63c000d814a24375e3d474f565738ca2764c39a9b74ef6c8d1
2022-01-20 19:26:34
8
56
9121e05636c36ab5053dae257b00d4dc046f2a852d33dd69412624ae68cee15c
2022-01-20 16:31:51
0
55
9984ce5ec7e04b6dae1c39cb09c6a135fed6697bd2bc4d08b93ef77770eaa377
2022-01-20 16:28:05
0
56
a57c72a2d92614a6fb3d72d8400a9771643a60f8cb3f2cee4a5a27731b00dff0
2022-01-20 11:42:22
0
56
12138c2aca3eaebf6c6b3f1b7b24c68ea5b9d29d4e88ed8412b46b5ce8feb2bb
2022-01-20 10:07:01
7
56
d96de808e92e4d42e93180be95ec52fbe490c506cd839365e71cb7168df6bfbd

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022