SUSP_Script_PS1_PE_Injection_Indicators_Mar21_2

Rule Info

Av Ratio
18.13
Required Modules
[]
Name
SUSP_Script_PS1_PE_Injection_Indicators_Mar21_2
Score
70
Reference
https://posts.specterops.io/covenant-v0-5-eee0507b85ba
Date
2021-03-01
Minimum Yara
1.7
Author
Florian Roth
Description
Detects suspicious script with keywords that indicate pe injection techniques
Tags
['T1059_001', 'T1086', 'SCRIPT', 'SUSP']
Rule Hash
cd2ba5a0d9e3fa35d44ccd7a3f7cb695
Virustotal Matches
https://www.virustotal.com/gui/search/susp_script_ps1_pe_injection_indicators_mar21_2/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
17
Suspicious (< 10 engines)
18
Clean (0 engines)
14

Rule Matches

Total
Hash
Timestamp
Positives
VT
67
64af09e2e96a2b891dfcfbf9c81e25d16f14ff0986834318313b22dfa83f6574
2021-09-24 11:46:56
51
57
496acf51f8dd8cdebef400eb978d6f78cab158dbec1dfe5d63f2796469a5a256
2021-09-22 20:14:41
8
57
197621633693823d4cd7741929bf6bd9c44592aac7e6e64f007ea47218d2c271
2021-09-15 18:46:06
1
67
cf571198410cbcd22359eb42a14d72c0245751ef281d1c9d865a6d4e9178199d
2021-09-06 14:22:50
39
57
af4abefc4f8b19e0e3ee28ee9c9ee90675c9dce866ca9b2f459dff69d2adba43
2021-09-02 22:15:35
0
56
7650648e023accc26acb5023990287ddbc2f38f77539175b3ce08d313ecd0b16
2021-09-02 22:13:17
0
56
8a98e53909824f01f2980c5e800f0d5b9e52265371e1c2f4e65487fea82a7e08
2021-09-02 22:13:16
0
57
ca4fe431b848098da63c968593f0603d4207ea130fd0d8b20ef02da41851f31a
2021-09-02 22:12:10
0
56
b3bbe90c987d78eeb65c0aac26006355a21d87dd20332c6e49fa25ea12e26ef1
2021-09-02 22:12:08
1
57
b8f940e8141e0d36aacbe8c8d58d704ae75eef2d8ffd8719b73b78e31522b3b1
2021-09-02 22:11:06
0
57
f296428d1343502a5946b173f173a7a472a1f114a03500a3143761d4baf7cefe
2021-09-02 22:11:05
1
57
4f5ba222a8585623879ba0b4f3f22ea3961838a844751093045da6b484f92aac
2021-09-02 22:11:03
0
57
c23a6d3ffeadee7455b2a472d81424130a926dfb64ca4591db0db3c1703c8300
2021-09-02 22:08:41
9
57
fc778be7b4be516df67ddaeca4b203ee2edf3b739057fa5bd0dadee336fb2cbf
2021-09-02 22:07:20
0
57
e71514285792f380278f1bb439929ea1e3de2d6f5decbfb08707230037c522d0
2021-09-02 22:06:12
0
56
e4a7cc10ef65e9827af9fb9ad8878bdd377bfde40dab279bdbea17da5e8e2a05
2021-09-02 22:06:08
0
57
350712a34de6b782a8ce51b483e302054b3947fe5b57eae14fe229d16b7488a2
2021-09-02 22:03:49
1
57
cb715c77685eff61cba3a722405bc76d334c3f73314108da25768ea25b1e8eca
2021-09-02 21:59:19
0
55
0b3bca4745a6ac53e1829e7ffbbe099d4f4228657d87603d16818243f530fcfe
2021-09-02 21:58:13
1
57
413c313a5f654b0b329439f4c1ca34548284cd4d46124f77e090c981ef45754a
2021-09-02 21:33:18
11
57
be9764d060f34f36e7708195e05a2f9ddc97aab812ad79f36407731ab23b8139
2021-09-02 21:28:51
9
57
5f9f58d477d74acec158c2f5165f6b28565b89453352e6c6ea420a8f2cf87392
2021-09-02 21:27:49
0
57
cbffffb2fb6e72a8b916ea65d2648f66dc54475cefcc27249bab32329e7ea9f8
2021-08-31 20:44:36
9
57
93a8c655ea1726034ce4190bb7038fa233eeb908aaaf42333377418e60b9b287
2021-08-31 20:42:00
9
56
776a239d8fb85cd122ade602dc970088d1809a207e39e0de15d68bdfd84f1462
2021-08-31 20:40:57
9
57
e19a4197653d1906cce922a4598e569ab5c3f12222669b8fb7bf11ede06004ba
2021-08-31 20:39:47
9
57
5490cbca0b034eaf9488ea8dd04a443a24f30e98ed00f4adb3ca822f022137bf
2021-08-31 20:38:17
9
57
14fe1a925f93fcf69e74402ae63dd0a81181fdb19e3db5105d7560962a13a32a
2021-08-31 20:35:56
10
57
793334e056c03976222ca3929e322898fffa35bb002100525bdd1308741d0b02
2021-08-31 20:15:49
10
57
3354b07bb0ff15956988fe69fadf91aadda2cbae9445859e316092e7b73faaaa
2021-08-31 20:00:23
11
57
f64e6e77bf5e654f53f07b2d48cf418c18caae4cb537e9bcf8270fbf976972e4
2021-08-31 19:28:06
0
57
4ba3c052fbb5b23172095cecc962cb4643824c15f9b386c5a21272bd03777af8
2021-08-31 19:19:59
1
56
ef136af86833bccd21451d042ea4ea5d8a8952cc97b8fa732bf7f2d5b06838e8
2021-08-31 19:15:28
10
57
d1b3fc8bfe3eb1ec414d33d6ad82d6c891665e1057c209a693736c8bcefaf840
2021-08-31 19:13:02
9
57
e264f3f64235b699c9e6e6e1847977305d5e6ba569ba0e6207a973a90aaaab89
2021-08-31 15:03:01
15
57
92867366b0f75829cf25815f7f4bd7e7d397ff1b4d69fc00842c61fa626ffb28
2021-08-25 09:55:56
6
66
4b6364fe3ace13ca2ba3c77de2a9e1628165cb2de2de0b31364c45610293a17f
2021-08-22 10:25:39
0
59
c7a602b7907d501320577049f55a0722ff3c7fc0102b6c6ab6c4171acd9ad78e
2021-08-03 16:28:14
34
59
6285f4369da554005e93a5903a3e23b77b48c8f80e15b5b4ae3d3c8d80647bbd
2021-08-01 15:09:06
34
68
9d4e75a53fde162f99b1702ab442b4cd3a9790f6f535bb0c8d496244245da5ac
2021-07-26 17:50:54
0
58
7e42b68a2a6f5090ebc1b108469c7f1fbc232379738075b673ab7a11cc8d632b
2021-06-27 22:02:43
4
55
eca308ba7f2473a4afcda6e8c6eef4befa113eb991567bd94ca90a14554bfb7d
2021-06-18 13:12:19
29
58
ca90b5d46e8944b4d7538a45d2b926b92d8affa42654a9c78a3c839e11aab7b2
2021-06-08 11:32:47
12
60
bc04d425c24592bd67542de41830272ac6f18564b9b9a3fadb88ccda0909b7a1
2021-06-04 12:01:57
29
59
44c76bf5806b8645843fee81eac07c50f1dfb10522954c59b35498c24126e01b
2021-05-22 20:55:10
32
58
d4e790b90e24e33f89f7c7da99ce0f76b10dfa1b7a1baf091b7a34951a71c573
2021-05-07 20:10:00
4
58
3001d3aea048d4624a808d041a483d0b5142772fa19412c1177e83ffc2e543de
2021-04-27 10:00:02
22
59
546c86fd10855aa67a736b1df4a6288da023c21794a31d19d60120abfeef105f
2021-04-26 01:12:48
32
70
1f8ab348af6cbbe737f5831fd3ff5c1313615ef3c15313e42ca6688ece4a7627
2021-04-25 12:12:15
54

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020